{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4446", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-19T20:23:49.946Z", "datePublished": "2026-03-20T01:34:47.750Z", "dateUpdated": "2026-03-20T01:34:47.750Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.153", "status": "affected", "lessThan": "146.0.7680.153", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-20T01:34:47.750Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/486421954"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-4446", "lastModified": "2026-03-20T02:16:37.363", "metrics": {}, "published": "2026-03-20T02:16:37.363", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/486421954"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Use after free in WebRTC", "id": "2449405", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449405"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["An use after free flaw was found in the WebRTC component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=486421954"], "name": "CVE-2026-4446", "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4446\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4446\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html\nhttps://issues.chromium.org/issues/486421954"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.153,146.0.7680.153)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-03-20T03:28:14.919865+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 146.0.7680.153 or later", "Ensure automatic updates are enabled to receive future security patches"], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected vendor: Google. Product: Google Chrome (desktop). Affected versions: any Chrome version earlier than 146.0.7680.153. The issue was fixed in the 146.0.7680.153 build and later.", "description_and_impact": "This vulnerability is a use\u2011after\u2011free in the WebRTC component of Google Chrome versions prior to 146.0.7680.153. A malicious web page can trigger the bug, causing heap corruption that may lead to arbitrary code execution. The weakness is classified as CWE\u2011416 and has been rated as high severity by Chromium.", "risk_and_exploitability": "The CVSS score is high (exact numeric value not provided), and the EPSS score is not available. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is remote via a crafted HTML page served over the network, so any user who visits a malicious site while Chrome is running could be impacted. Because heap corruption can lead to execution of attacker\u2011controlled code, the potential impact is severe."}}}}, "created": "2026-03-20T08:53:29.908380+00:00", "title": "Use After Free in WebRTC Leading to Remote Code Execution in Google Chrome", "updated": "2026-03-20T10:43:23.240327+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}