CVE-2026-4452 - Vulnerability Details

- chromium-browser: Integer overflow in ANGLE

Description

Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Published: 2026-03-20

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow occurs in ANGLE, the graphics abstraction layer used by Google Chrome on Windows. When Chrome parses a maliciously crafted HTML page, the overflow can corrupt heap objects, potentially allowing an attacker to alter program control flow and achieve arbitrary code execution if exploitation succeeds. The flaw is caused by unchecked arithmetic operations (CWE-190) and improper buffer handling (CWE-472).

Affected Systems

Google Chrome versions for Windows released before 146.0.7680.153 contain the vulnerability. The issue is limited to builds that include ANGLE and is not present in newer releases that have applied the integer‑overflow fix. End‑users on Windows who have earlier Chrome versions need to upgrade.

Risk and Exploitability

The CVSS base score of 8.8 marks the flaw as high severity. However, an EPSS score of less than 1% suggests that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require a victim to visit a specially crafted HTML page or otherwise render content that triggers the integer overflow, a client‑side attack that does not rely on remote network access beyond normal browsing.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`146.0.7680.153`	affected	< 146.0.7680.153

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`[146.0.7680.153,146.0.7680.153)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Google Chrome to version 146.0.7680.153 or newer on Windows.
Verify the update by opening the browser’s About page to confirm the new version number.

Generated by OpenCVE AI on March 20, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6171-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html
https://issues.chromium.org/issues/487977696
https://nvd.nist.gov/vuln/detail/CVE-2026-4452
https://www.cve.org/CVERecord?id=CVE-2026-4452

History

Fri, 20 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft windows
CPEs		cpe:2.3:a:google:chrome:::::::: cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Microsoft Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Fri, 20 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title	ANGLE Integer Overflow Heap Corruption Vulnerability in Chrome	chromium-browser: Integer overflow in ANGLE
Weaknesses		CWE-190
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4452 https://www.cve.org/CVERecord?id=CVE-2026-4452
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 20 Mar 2026 11:15:00 +0000

Type	Values Removed	Values Added
Title		ANGLE Integer Overflow Heap Corruption Vulnerability in Chrome

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses		CWE-472
References		https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html https://issues.chromium.org/issues/487977696

Subscriptions

Google Chrome

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-03-20T01:34:51.585Z

Updated: 2026-03-21T04:01:15.165Z

Reserved: 2026-03-19T20:23:51.397Z

Link: CVE-2026-4452

Vulnrichment

Updated: 2026-03-20T14:23:56.517Z

NVD

Status : Analyzed

Published: 2026-03-20T02:16:38.207

Modified: 2026-03-20T18:07:58.067

Link: CVE-2026-4452

Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4452 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-25T14:09:53Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object