Description
Use after free in Digital Credentials API in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via sandbox escape
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in Chrome’s Digital Credentials API, classified as CWE-416 and CWE-825, can trigger memory corruption that may result in a sandbox escape, potentially allowing an attacker to execute arbitrary code with elevated privileges within the browser process.

Affected Systems

The vulnerability affects Google Chrome installations older than version 146.0.7680.153 on all major platforms, including Windows, macOS, and Linux, because the Digital Credentials API is present across these operating systems.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, and the EPSS assessment shows a low likelihood of exploitation (<1%). This vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploits yet. Based on the description, the likely attack vector involves a malicious web page that is rendered by a process that has already been compromised in its renderer, implying the need for user interaction through a specialized crafted HTML page. This inference is drawn from the statement that a remote attacker who has compromised the renderer process can potentially perform a sandbox escape via a crafted HTML page.

Generated by OpenCVE AI on March 20, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.153 or later
  • Verify that the update was applied by checking the browser version in Settings → About Chrome
  • Ensure automatic updates are enabled or configure enterprise policy to enforce mandatory updates

Generated by OpenCVE AI on March 20, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Fri, 20 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Digital Credentials API Allows Sandbox Escape via Crafted Page chromium-browser: Use after free in Digital Credentials API
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Title Use After Free in Chrome Digital Credentials API Allows Sandbox Escape via Crafted Page

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Use after free in Digital Credentials API in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-21T04:01:29.372Z

Reserved: 2026-03-19T20:23:52.337Z

Link: CVE-2026-4456

cve-icon Vulnrichment

Updated: 2026-03-20T14:23:47.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:38.780

Modified: 2026-03-20T17:59:23.127

Link: CVE-2026-4456

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4456 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:49Z

Weaknesses