{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4675", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-23T21:08:17.405Z", "datePublished": "2026-03-24T00:24:41.442Z", "dateUpdated": "2026-03-25T03:55:41.369Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.165", "status": "affected", "lessThan": "146.0.7680.165", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-24T00:24:41.442Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html"}, {"url": "https://issues.chromium.org/issues/488270257"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-4675"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T03:55:41.369Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T00:47:46.494092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T00:52:00.685Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "146.0.7680.165", "lessThan": "146.0.7680.165", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html"}, {"url": "https://issues.chromium.org/issues/488270257"}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "Heap buffer overflow"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-24T00:24:41.442Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4675", "state": "PUBLISHED", "dateUpdated": "2026-03-25T03:55:41.369Z", "dateReserved": "2026-03-23T21:08:17.405Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-03-24T00:24:41.442Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "2570A6D2-95CF-4CB3-A7D1-8CC6532A05FA", "versionEndExcluding": "146.0.7680.164", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)"}, {"lang": "es", "value": "Desbordamiento de b\u00fafer de mont\u00f3n en WebGL en Google Chrome anterior a 146.0.7680.165 permiti\u00f3 a un atacante remoto realizar una lectura de memoria fuera de l\u00edmites mediante una p\u00e1gina HTML manipulada. (Gravedad de seguridad de Chromium: Alta)"}], "id": "CVE-2026-4675", "lastModified": "2026-03-24T16:51:34.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T01:17:03.090", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/488270257"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Heap buffer overflow in WebGL", "id": "2450570", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450570"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-787", "details": ["A heap buffer overflow flaw was found in the WebGL component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=488270257"], "name": "CVE-2026-4675", "public_date": "2026-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4675\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4675\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html\nhttps://issues.chromium.org/issues/488270257"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,146.0.7680.165)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-03-24T18:54:04.118183+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 146.0.7680.165 or later on all affected platforms.", "Verify that the update was applied by checking the browser\u2019s About menu or running \"chrome://version/\".", "If unable to upgrade immediately, consider disabling WebGL in the browser settings to reduce the attack surface until a patch is installed.", "Ensure that any system wide update mechanisms for Chrome are operating correctly and that future updates are automatically applied."], "summary": {"action": "Patch Immediately", "impact": "Out-of-bounds memory read (information disclosure)"}, "threat_synthesis": {"affected_systems": "Google Chrome versions earlier than 146.0.7680.165 on all major desktop operating systems \u2013 Windows, macOS, and Linux \u2013 are affected. The issue specifically targets the WebGL component of the browser, which is available across these platforms.", "description_and_impact": "The flaw is a heap buffer overflow in Chrome\u2019s WebGL implementation that permits a remote attacker to read memory beyond the intended bounds through a specially crafted HTML page. The vulnerability could expose private data or be a stepping stone to more serious attacks such as code execution, depending on the information gleaned from the read. The weakness is classified as CWE\u2011122 and CWE\u2011787, consistent with out-of-bounds read and write conditions.", "risk_and_exploitability": "The exploit requires the victim to open a malicious web page, making the attack vector remote and browser\u2011based. The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1\u202f% suggests exploitation is relatively unlikely. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS score warrants attention, and once patched, the risk is effectively mitigated."}}}}, "created": "2026-03-24T10:29:33.462974+00:00", "updated": "2026-03-25T20:40:39.473072+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}