CVE-2026-4673 Overview
CVE-2026-4673 is a heap buffer overflow vulnerability in the WebAudio component of Google Chrome versions prior to 146.0.7680.165. A remote attacker can trigger an out-of-bounds memory write by serving a crafted HTML page to a target user. Google classifies the Chromium security severity as High, and the issue is tracked under Chromium Issue Tracker #485397284. The vulnerability affects Chrome installations on Windows, macOS, and Linux platforms. Exploitation requires user interaction, specifically navigation to attacker-controlled content. Successful exploitation can lead to memory corruption in the renderer process and potential arbitrary code execution.
Critical Impact
Remote attackers can corrupt heap memory in the Chrome renderer process via a crafted HTML page, enabling out-of-bounds writes that may lead to arbitrary code execution.
Affected Products
- Google Chrome prior to 146.0.7680.165 on Microsoft Windows
- Google Chrome prior to 146.0.7680.165 on Apple macOS
- Google Chrome prior to 146.0.7680.165 on Linux
Discovery Timeline
- 2026-03-23 - Google releases stable channel update fixing the vulnerability
- 2026-03-24 - CVE-2026-4673 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-4673
Vulnerability Analysis
The vulnerability resides in the WebAudio API implementation within Chromium's Blink renderer. WebAudio processes audio data through a graph of AudioNode objects operating on fixed-size buffers in the renderer process. A crafted HTML page can manipulate WebAudio processing in a way that causes the engine to write beyond the bounds of an allocated heap buffer.
The issue is categorized under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). Attackers can use the overflow to corrupt adjacent heap objects, including function pointers or virtual table entries. This corruption forms the foundation for renderer process compromise and, when combined with a sandbox escape, full host code execution.
Root Cause
The defect stems from insufficient bounds checking during buffer manipulation in WebAudio. Specific audio processing paths fail to validate that destination buffer sizes accommodate the data being written. When attacker-controlled parameters drive the buffer geometry, the resulting write extends past the allocated region.
Attack Vector
Exploitation occurs over the network and requires the victim to load a malicious HTML page in a vulnerable Chrome build. The attacker hosts JavaScript that constructs an abusive WebAudio graph and triggers the overflow during audio processing. No authentication is required. The compromised renderer remains constrained by Chrome's sandbox unless paired with an additional escape vulnerability.
No public proof-of-concept exploit was available at the time of publication. Technical details remain restricted in the Chromium issue tracker pending broader patch adoption.
Detection Methods for CVE-2026-4673
Indicators of Compromise
- Chrome renderer process crashes with heap corruption signatures, such as SIGSEGV or EXCEPTION_ACCESS_VIOLATION, while pages using WebAudio are loaded.
- Outbound connections from browser hosts to newly registered or low-reputation domains delivering audio-heavy HTML content.
- Unexpected child process creation from chrome.exe following navigation to untrusted sites.
Detection Strategies
- Inventory Chrome installations across the fleet and flag versions below 146.0.7680.165 for prioritized remediation.
- Hunt for renderer crash telemetry containing WebAudio stack frames in the seven days surrounding suspicious browsing activity.
- Correlate browser process anomalies with proxy logs to identify users who visited attacker-controlled pages.
Monitoring Recommendations
- Forward Chrome crash dumps and process telemetry to a centralized analytics pipeline for pattern analysis.
- Monitor for unusual memory growth or child process spawning from Chrome renderers handling untrusted content.
- Alert on policy violations indicating users disabling automatic Chrome updates or sandbox features.
How to Mitigate CVE-2026-4673
Immediate Actions Required
- Update Google Chrome to version 146.0.7680.165 or later on all Windows, macOS, and Linux endpoints.
- Verify enterprise update channels are functioning and force-restart browsers to apply the patch.
- Audit endpoint management consoles to confirm patch deployment status across the environment.
Patch Information
Google addressed the vulnerability in the Chrome Stable channel release documented in the Chrome Releases blog post for March 23, 2026. Administrators should also push the fixed build to Chrome-based enterprise deployments and any embedded WebView components that track Chromium releases.
Workarounds
- Restrict browsing to trusted sites using enterprise web filtering until patches are deployed.
- Enforce Chrome site isolation and ensure the renderer sandbox is enabled to limit post-exploitation impact.
- Apply Chrome enterprise policies to disable execution of untrusted extensions that may broaden the attack surface.
# Verify installed Chrome version on Linux
google-chrome --version
# Windows: query installed version via registry
reg query "HKLM\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv
# macOS: check bundle version
defaults read /Applications/Google\ Chrome.app/Contents/Info CFBundleShortVersionString
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
