Description
Type Confusion in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap corruption potentially leading to remote code execution
Action: Patch Immediately
AI Analysis

Impact

A type confusion flaw in the V8 JavaScript engine allows an attacker to create a specially crafted HTML page that can cause heap corruption in Google Chrome. The corrupt memory can compromise process integrity and, if the attacker succeeds, may lead to arbitrary code execution. The weakness is identified as CWE‑843.

Affected Systems

The flaw affects any installation of Google Chrome running a version earlier than 146.0.7680.153 on supported operating systems, including Windows, macOS, and Linux.

Risk and Exploitability

The CVSS score of 8.8 signifies high severity, while an EPSS score below 1% indicates a currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploitation yet. The most likely attack vector is a malicious web page that an end‑user visits; successful exploitation would require the user to load the crafted HTML, typically through phishing or compromised sites.

Generated by OpenCVE AI on March 20, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.153 or later
  • Verify the Chrome version on each affected system and apply the latest stable update
  • If automatic updates are disabled, configure Chrome to install security updates promptly

Generated by OpenCVE AI on March 20, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Fri, 20 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Type Confusion in V8
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Type Confusion in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-843
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-21T04:01:11.760Z

Reserved: 2026-03-19T20:23:52.980Z

Link: CVE-2026-4457

cve-icon Vulnrichment

Updated: 2026-03-20T14:23:44.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:38.917

Modified: 2026-03-20T17:58:59.643

Link: CVE-2026-4457

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4457 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:48Z

Weaknesses