Description
Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Google Chrome contains a use‑after‑free flaw in its network stack that can corrupt heap memory when a specially crafted HTML page is parsed. The vulnerability is classified as a use‑after‑free (CWE‑416) and leads to heap corruption (CWE‑825). The description states that a remote attacker could potentially exploit this corruption, implying that arbitrary code execution is a possible outcome if an exploit is crafted, which would allow compromise of the browser and potentially the underlying host system. This potential impact is inferred from the description and has not been confirmed as a fully mature exploit.

Affected Systems

All versions of Google Chrome older than 146.0.7680.153 on Windows, macOS, and Linux are affected. Any user running an earlier Chrome release on any of these operating systems is susceptible.

Risk and Exploitability

The vulnerability has a CVSS base score of 8.8, indicating high severity. The EPSS score is reported as less than 1 %, suggesting that exploitation is currently unlikely. It is not listed in the CISA KEV catalog. The likely attack vector is remote via a crafted HTML page; a user must visit a malicious or compromised website to trigger the heap corruption. Both the likelihood of exploitation and the severity imply a significant risk if an attacker succeeds.

Generated by OpenCVE AI on March 20, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 146.0.7680.153 or later on all affected operating systems.

Generated by OpenCVE AI on March 20, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Network Module Allowing Remote Code Execution via Crafted HTML chromium-browser: Use after free in Network
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Title Use‑after‑free in Chrome Network Module Allowing Remote Code Execution via Crafted HTML

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-21T04:01:13.960Z

Reserved: 2026-03-19T20:23:51.829Z

Link: CVE-2026-4454

cve-icon Vulnrichment

Updated: 2026-03-20T14:23:53.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:38.490

Modified: 2026-03-20T18:08:17.390

Link: CVE-2026-4454

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4454 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:51Z

Weaknesses