Skip to main content

Google EUVDEUVD-2026-13461

| CVE-2026-4447 HIGH
Protection Mechanism Failure (CWE-693)
2026-03-20 chrome-cve-admin@google.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
9.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 20, 2026 - 08:46 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13461
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 02:16 nvd
HIGH 8.8

DescriptionNVD

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

A sandbox escape vulnerability exists in Google Chrome's V8 JavaScript engine prior to version 146.0.7680.153, allowing remote attackers to execute arbitrary code within the Chrome sandbox through a crafted HTML page. This is a High severity issue affecting millions of Chrome users across Windows, macOS, and Linux platforms. The vulnerability is triggered via web-based attack vector (HTML page delivery) and does not require user interaction beyond visiting a malicious website.

Technical ContextAI

This vulnerability resides in V8, Google's open-source JavaScript engine that powers Google Chrome and Chromium-based browsers. V8 implements a Just-In-Time (JIT) compiler and garbage collector for JavaScript execution. The 'inappropriate implementation' described in the CVE indicates a logic flaw in V8's sandboxing mechanisms or memory safety guarantees, likely related to how the engine handles specific JavaScript constructs or edge cases. The vulnerability affects Chrome versions prior to 146.0.7680.153 across all desktop platforms. While no CWE is formally assigned in the available metadata, sandbox escape vulnerabilities typically stem from memory corruption (CWE-119), type confusion (CWE-843), or improper validation of security boundaries (CWE-693).

RemediationAI

Immediately upgrade Google Chrome to version 146.0.7680.153 or later. For enterprise deployments, use Chrome's built-in auto-update mechanism or deploy the patched version through centralized device management (MDM/EMM). Debian users should update chromium-browser packages through their distribution repositories. No workarounds can reliably mitigate sandbox escape vulnerabilities prior to patching—if immediate patching is delayed, consider restricting access to untrusted web content by disabling Chrome on high-risk user accounts or using enhanced sandboxing features if available in your Chrome version. Verify patching completion by checking chrome://version to confirm running build 146.0.7680.153 or higher. Refer to https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html for detailed release notes and patch deployment guidance.

Vendor StatusVendor

Ubuntu

Priority: Medium
chromium-browser
Release Status Version
jammy not-affected code not present
noble not-affected code not present
questing not-affected code not present
upstream released -

Debian

chromium
Release Status Fixed Version Urgency
bullseye (security), bullseye vulnerable 120.0.6099.224-1~deb11u1 -
bookworm fixed 146.0.7680.153-1~deb12u1 -
bookworm (security) fixed 146.0.7680.153-1~deb12u1 -
trixie fixed 146.0.7680.153-1~deb13u1 -
trixie (security) fixed 146.0.7680.153-1~deb13u1 -
forky vulnerable 146.0.7680.80-1 -
sid fixed 146.0.7680.153-1 -
bullseye fixed (unfixed) end-of-life
(unstable) fixed 146.0.7680.153-1 -

SUSE

Severity: High
Product Status
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Package Hub 15 SP6 Fixed

Share

EUVD-2026-13461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy