CVE-2026-4458 Overview
CVE-2026-4458 is a use-after-free vulnerability in the Extensions component of Google Chrome prior to version 146.0.7680.153. An attacker who convinces a user to install a malicious extension can trigger heap corruption through a crafted Chrome Extension. The Chromium project classifies this issue at High security severity.
The flaw affects Chrome on Windows, macOS, and Linux. Successful exploitation can lead to arbitrary code execution within the renderer or extension process, with potential for sandbox escape depending on follow-on chains. The bug is tracked under [CWE-416] (Use After Free).
Critical Impact
Heap corruption via a crafted Chrome Extension can lead to memory corruption and potential code execution in the browser process context.
Affected Products
- Google Chrome prior to 146.0.7680.153
- Chrome desktop builds on Microsoft Windows
- Chrome desktop builds on Apple macOS and Linux
Discovery Timeline
- 2026-03-20 - CVE-2026-4458 published to the National Vulnerability Database (NVD)
- 2026-03-20 - Last updated in NVD database
- 2026-03-18 - Google releases Chrome Stable Channel update addressing the flaw (per the Google Chrome Stable Update)
Technical Details for CVE-2026-4458
Vulnerability Analysis
The vulnerability is a use-after-free condition in Chrome's Extensions subsystem. A use-after-free occurs when a program continues to reference a memory region after it has been freed, allowing an attacker to manipulate the contents of that freed memory before the dangling pointer is dereferenced.
In the context of Chrome Extensions, the affected code path retains a reference to an extension-managed object whose lifetime is shorter than the consumer expects. When the freed object is replaced by attacker-controlled data on the heap, subsequent dereferences operate on attacker-influenced memory. This results in heap corruption that can be steered toward control-flow hijack.
Exploitation requires user interaction. The victim must install a malicious extension crafted by the attacker, which then issues the API calls required to reach the vulnerable code path.
Root Cause
The root cause is improper object lifetime management within the Extensions implementation, classified as [CWE-416]. The vulnerable code does not synchronize ownership of an extension-scoped object with all consumers holding references, so a release path can free memory that another path later reuses. Additional technical detail is restricted in the Chromium Issue Tracker Entry until broad patch adoption.
Attack Vector
The attack vector is network-adjacent through extension distribution. An attacker publishes or sideloads a malicious Chrome Extension and convinces a user to install it. Once installed, the extension triggers the vulnerable Extensions API sequence, producing the dangling pointer and subsequent heap corruption. No additional privileges are required beyond the permissions the user grants the extension at install time.
The vulnerability manifests within the Extensions component reachable from extension JavaScript and native messaging interfaces. See the Chromium Issue Tracker Entry for technical details once disclosure restrictions are lifted.
Detection Methods for CVE-2026-4458
Indicators of Compromise
- Installation of unsigned or sideloaded Chrome extensions from outside the Chrome Web Store, particularly via developer mode or enterprise policy overrides.
- Chrome renderer or extension process crashes with heap corruption signatures referencing the Extensions subsystem in crash dumps.
- Outbound network connections from chrome.exe to unfamiliar domains shortly after a new extension is loaded.
Detection Strategies
- Inventory installed Chrome extensions across the fleet and compare extension IDs against an approved allowlist.
- Monitor for Chrome versions below 146.0.7680.153 in endpoint telemetry to identify unpatched browsers.
- Alert on writes to the Chrome Extensions directory (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions on Windows and the equivalent on macOS and Linux) outside of normal update processes.
Monitoring Recommendations
- Track Chrome WerFault crash events and Chrome's own crash reporter output for repeated faults in extension-related modules.
- Correlate extension installation events with subsequent child process creation and network activity from the browser.
- Review enterprise policies that allow ExtensionInstallSources or ExtensionInstallForcelist entries pointing to non-Web Store URLs.
How to Mitigate CVE-2026-4458
Immediate Actions Required
- Update Google Chrome to version 146.0.7680.153 or later on Windows, macOS, and Linux endpoints.
- Audit installed extensions and remove any that are unused, untrusted, or sideloaded.
- Restrict extension installation to the Chrome Web Store and an approved allowlist using enterprise policy.
Patch Information
Google addressed CVE-2026-4458 in Chrome Stable channel build 146.0.7680.153. Details are documented in the Google Chrome Stable Update. Chromium-based browsers that consume the upstream fix should be updated to the corresponding vendor release once available.
Workarounds
- Enforce ExtensionInstallBlocklist set to * and use ExtensionInstallAllowlist to permit only vetted extension IDs until patching completes.
- Disable developer mode for extensions on managed endpoints to prevent loading of unpacked extensions.
- Block access to third-party extension distribution sites at the network egress layer.
# Chrome enterprise policy example (Windows registry) to restrict extensions
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlocklist" /v 1 /t REG_SZ /d "*" /f
reg add "HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist" /v 1 /t REG_SZ /d "<approved-extension-id>" /f
reg add "HKLM\Software\Policies\Google\Chrome\DeveloperToolsAvailability" /t REG_DWORD /v DeveloperToolsAvailability /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
