Description
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inappropriate implementation in the V8 JavaScript engine of Google Chrome allowed a remote attacker to execute arbitrary code inside a sandbox through a crafted HTML page. The weakness, identified as CWE‑843 and CWE‑693, leads to remote code execution, which can result in full loss of confidentiality, integrity, and availability of the user’s system.

Affected Systems

The vulnerability affects Google Chrome browsers version 146.0.7680.153 and earlier. All operating systems that run Chrome – Windows, macOS, and Linux – are impacted as the defect exists in the core JavaScript engine shared across platforms.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity, while the EPSS score of less than 1% indicates limited exploit probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to host a malicious web page that the victim visits; the attack vector is a web exploits scenario, allowing remote code execution within the browser sandbox.

Generated by OpenCVE AI on June 10, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure Google Chrome is updated to version 146.0.7680.153 or later on all systems.
  • Enforce strict type validation and restrict dynamic JavaScript execution in Chrome, mitigating the type confusion weakness identified by CWE‑843.
  • Block or monitor malicious domains and URLs that could host crafted pages to prevent exploitation until the patch is applied.

Generated by OpenCVE AI on June 10, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-264

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Chrome V8 Sandbox Escape via Crafted HTML chromium-browser: Inappropriate implementation in V8
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Title Chrome V8 Sandbox Escape via Crafted HTML
Weaknesses CWE-264

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-10T19:34:37.590Z

Reserved: 2026-03-19T20:23:50.155Z

Link: CVE-2026-4447

cve-icon Vulnrichment

Updated: 2026-03-20T14:34:52.043Z

cve-icon NVD

Status : Modified

Published: 2026-03-20T02:16:37.520

Modified: 2026-06-17T10:56:35.663

Link: CVE-2026-4447

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4447 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:00:08Z

Weaknesses