{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4440", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-19T20:23:47.604Z", "datePublished": "2026-03-20T01:34:44.077Z", "dateUpdated": "2026-03-20T01:34:44.077Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.153", "status": "affected", "lessThan": "146.0.7680.153", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Out of bounds read and write in WebGL in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Critical)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out of bounds read and write"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-20T01:34:44.077Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/485935305"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out of bounds read and write in WebGL in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Critical)"}], "id": "CVE-2026-4440", "lastModified": "2026-03-20T02:16:36.520", "metrics": {}, "published": "2026-03-20T02:16:36.520", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/485935305"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received"}

{"bugzilla": {"description": "chromium-browser: Out of bounds read and write in WebGL", "id": "2449394", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449394"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["An out of bounds read and write flaw was found in the WebGL component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=485935305"], "name": "CVE-2026-4440", "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4440\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4440\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html\nhttps://issues.chromium.org/issues/485935305"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,146.0.7680.153)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-03-20T03:30:21.176900+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 146.0.7680.153 or later, which contains the WebGL patch.", "If an immediate update is infeasible, temporarily disable WebGL by setting chrome://flags/#disable-webgl to On and restart Chrome.", "Monitor Chrome release notes for additional mitigations or hotfixes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affecting all versions of Google Chrome on supported platforms that precede release 146.0.7680.153, including the Chrome stable channel, as outlined in the vendor release notes.", "description_and_impact": "The vulnerability is an out\u2011of\u2011bounds read and write in the WebGL component of Google Chrome before version 146.0.7680.153. A remote attacker can supply a specially crafted HTML page that causes Chrome to read or write beyond the intended memory bounds, resulting in arbitrary memory corruption. This flaw can potentially allow an attacker to compromise confidentiality, integrity, and availability of the victim\u2019s data or process. The weakness is consistent with CWE\u2011119: Improper Restriction of Operations within the Bounds of a Memory Buffer.", "risk_and_exploitability": "The vendor classifies the issue as Critical. The exploit can be delivered remotely via a malicious web page, requiring only that the user visit a crafted URL. No EPSS data is currently available, and the vulnerability is not listed in the CISA KEV catalog. Attackers with access to a user\u2019s browser could leverage the OOB read/write to hijack memory or execute arbitrary code, making the risk significant for exposed users."}}}}, "created": "2026-03-20T08:53:35.013018+00:00", "updated": "2026-03-20T10:43:28.433810+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}