Description
Stack buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a stack buffer overflow that occurs in Chrome’s WebRTC implementation. A malicious, specially crafted web page can cause the browser to overwrite memory on the stack, potentially allowing the attacker to execute arbitrary code. The flaw is classified as a high severity issue by the Chromium security team, reflecting its ability to compromise the integrity and confidentiality of the system being attacked.

Affected Systems

The weakness is present in all releases of Google Chrome prior to version 146.0.7680.153. Users of the Chrome browser on any operating system—Windows, macOS, Linux, or other platforms—are at risk if they have not applied the most recent update that addresses the issue. No other software vendors or product lines are reported to be affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high potential impact if the flaw is successfully exploited. However, the EPSS score of less than 1% suggests that it is unlikely an attacker is actively exploiting this vulnerability in the wild at this time. The flaw is not listed in the CISA KEV catalog, which further indicates limited public exploitation. The typical attack requires a user to open a malicious HTML page in the browser, so social engineering or drive‑by download plays a key role in the exploit path. While the technical risk is high, the current exploit likelihood remains low.

Generated by OpenCVE AI on March 20, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Chrome version 146.0.7680.153 or later to remove the stack buffer overflow in WebRTC.
  • If immediate update is not possible, disable the WebRTC feature via Chrome flags or enterprise policy to block access to the vulnerable code path.
  • Monitor user activity for attempts to load untrusted web content and educate users on phishing and malicious site risks.

Generated by OpenCVE AI on March 20, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Fri, 20 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Stack Buffer Overflow in WebRTC via Crafted HTML Page chromium-browser: Stack buffer overflow in WebRTC
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Title Remote Stack Buffer Overflow in WebRTC via Crafted HTML Page

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Stack buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-121
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-21T04:01:34.131Z

Reserved: 2026-03-19T20:23:49.144Z

Link: CVE-2026-4444

cve-icon Vulnrichment

Updated: 2026-03-20T14:35:02.978Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:37.073

Modified: 2026-03-20T19:32:16.683

Link: CVE-2026-4444

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4444 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:02Z

Weaknesses