PatchSiren cyber security CVE debrief
CVE-2026-4447 Google CVE debrief
A high-severity inappropriate implementation vulnerability in Google Chrome's V8 JavaScript engine, fixed in version 146.0.7680.153, enables remote code execution inside the browser sandbox when a user visits a crafted HTML page. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, no privileges required, user interaction needed, and high impact to confidentiality, integrity, and availability. The vulnerability was published on March 20, 2026, with the NVD record last modified on June 10, 2026. No known exploitation in ransomware campaigns has been catalogued in CISA KEV. Chrome's stable channel update and Chromium issue tracker contain authoritative technical details.
- Vendor
- Product
- Chrome
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-10
Who should care
Organizations with large Chrome deployments, enterprises relying on browser-isolated workloads, and security teams monitoring web-based threat vectors should prioritize this patch. The sandboxed nature of the exploit limits immediate system compromise but does not eliminate risk, particularly when combined with other vulnerabilities or sandbox escape techniques.
Technical summary
CVE-2026-4447 is an inappropriate implementation flaw in the V8 JavaScript engine used by Google Chrome. Versions prior to 146.0.7680.153 are affected. A remote attacker can exploit this vulnerability by inducing a user to load a maliciously crafted HTML page, resulting in arbitrary code execution within the browser's sandbox environment. The vulnerability does not require elevated privileges and has low attack complexity, though user interaction is necessary. The fix was distributed through Chrome's stable channel update.
Defensive priority
high
Recommended defensive actions
- Upgrade Google Chrome to version 146.0.7680.153 or later across all managed endpoints.
- Verify automatic update mechanisms are enabled and functioning for Chrome installations.
- Restrict or monitor execution of untrusted HTML content and browser-based applications where patching is delayed.
- Review sandbox escape mitigations and defense-in-depth controls, as the vulnerability permits arbitrary code execution within the sandbox.
- Monitor Chromium issue tracker and Chrome release notes for additional technical details or follow-up fixes.
Evidence notes
The NVD CPE data lists Google Chrome as the vulnerable product with an upper bound of 146.0.7680.153, and assigns a secondary CWE-693 (Protection Mechanism Failure) weakness classification alongside NVD-CWE-noinfo. The vendor field in the source corpus indicates Apple with medium confidence based on nvd_cpe; however, the CPE criteria and description clearly identify Google Chrome and the V8 engine as the affected product. The Chrome Releases blog and Chromium issue tracker are the primary authoritative sources.
Official resources
-
CVE-2026-4447 CVE record
CVE.org
-
CVE-2026-4447 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Source reference
[email protected] - Issue Tracking, Permissions Required
2026-03-20T02:16:37.520Z