{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4459", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-19T20:23:53.918Z", "datePublished": "2026-03-20T01:34:56.021Z", "dateUpdated": "2026-03-20T14:42:46.968Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.153", "status": "affected", "lessThan": "146.0.7680.153", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Out of bounds read and write in WebAudio in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out of bounds read and write"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-20T01:34:56.021Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/490246422"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:33:31.030581Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:42:46.968Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out of bounds read and write in WebAudio in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-4459", "lastModified": "2026-03-20T13:37:50.737", "metrics": {}, "published": "2026-03-20T02:16:39.197", "references": [{"source": "chrome-cve-admin@google.com", "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"}, {"source": "chrome-cve-admin@google.com", "url": "https://issues.chromium.org/issues/490246422"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "chromium-browser: Out of bounds read and write in WebAudio", "id": "2449402", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449402"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["An out of bounds read and write flaw was found in the WebAudio component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=490246422"], "name": "CVE-2026-4459", "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4459\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4459\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html\nhttps://issues.chromium.org/issues/490246422"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.153,146.0.7680.153)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-03-20T13:50:38.993219+00:00", "value": {"mitigation_remediation": ["Update Google Chrome to version 146.0.7680.153 or newer", "Verify the update by checking the browser\u2019s version and reviewing the release notes"], "summary": {"action": "Immediate Patch", "impact": "Remote Heap Corruption"}, "threat_synthesis": {"affected_systems": "This issue affects Google Chrome users who run any version earlier than 146.0.7680.153. The CNA lists Google:Chrome as the affected product, and no other versions are mentioned in the entry. Users of the stable channel before the March 2026 update are therefore vulnerable.", "description_and_impact": "The vulnerability is an out\u2011of\u2011bounds read and write in the WebAudio engine of Google Chrome, identified as CWE-119 and CWE-125. A remote attacker can craft a malicious HTML page that causes the browser to read or write past allocated memory, leading to a heap corruption. This corruption may allow the attacker to overwrite memory, crash the browser, or execute arbitrary code, thereby compromising confidentiality, integrity, or availability of the victim\u2019s system.", "risk_and_exploitability": "The CVSS score of 9.6 classifies this vulnerability as critical. The EPSS score is not provided, and it is not listed in CISA\u2019s KEV catalog. The attack vector is remote: a malicious HTML page served over the Internet can trigger the out\u2011of\u2011bounds operations without requiring any additional privileges. Given the high severity and the simplicity of the exploit conditions, the likelihood of exploitation in the wild is high, especially in environments where users visit untrusted web content."}}}}, "created": "2026-03-20T08:53:18.632896+00:00", "updated": "2026-03-20T14:14:14.108666+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}