{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4454", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-19T20:23:51.829Z", "datePublished": "2026-03-20T01:34:53.048Z", "dateUpdated": "2026-03-20T14:42:46.141Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.153", "status": "affected", "lessThan": "146.0.7680.153", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use after free", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-20T01:34:53.048Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/488585488"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4454", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:33:19.717539Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:46.141Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-4454", "lastModified": "2026-03-20T13:37:50.737", "metrics": {}, "published": "2026-03-20T02:16:38.490", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/488585488"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "chrome-cve-admin@google.com", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Use after free in Network", "id": "2449414", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449414"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["An use after free flaw was found in the Network component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=488585488"], "name": "CVE-2026-4454", "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4454\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4454\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html\nhttps://issues.chromium.org/issues/488585488"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.153,146.0.7680.153)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-03-20T13:23:49.928521+00:00", "value": {"mitigation_remediation": ["Acquire and install Chrome version 146.0.7680.153 or later."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected product is Google Chrome \u2013 any installation of Chrome before version 146.0.7680.153 is vulnerable. The vulnerability affects all operating systems that run the affected Chrome build, including Windows, macOS, and Linux. No sub\u2011version list beyond the primary release is specified.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free condition in the Network component of Google Chrome that could lead to heap corruption when the browser processes a specially crafted HTML page. An attacker who can entice a victim to load malicious content could potentially gain arbitrary code execution in the context of the browser, compromising confidentiality, integrity, and availability of the user\u2019s system. This weakness is identified as CWE\u2011416 (Use After Free) and CWE\u2011825 (Heap Corruption).", "risk_and_exploitability": "The CVSS score is 9.6, indicating a high severity and very high risk to affected systems. No EPSS score is reported, so exploitation likelihood is unknown, but the vulnerability is high severity and a potential remote attacker can deliver malicious HTML over the internet. The vulnerability is not yet listed in the CISA KEV catalog, meaning no widespread use yet. The likely attack vector is remote via a crafted web page, requiring no privileged access on the victim machine."}}}}, "created": "2026-03-20T08:53:23.116835+00:00", "updated": "2026-03-20T14:14:20.636597+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}