CVE-2026-4675 Overview
CVE-2026-4675 is a heap buffer overflow vulnerability in the WebGL component of Google Chrome versions prior to 146.0.7680.165. A remote attacker can trigger an out-of-bounds memory read by serving a crafted HTML page to a target browser. The flaw is tracked under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). Google classifies the Chromium security severity as High. Exploitation requires user interaction, specifically loading attacker-controlled web content. The vulnerability affects Chrome on Windows, macOS, and Linux desktop platforms.
Critical Impact
A remote attacker can read out-of-bounds heap memory from the renderer process, potentially leaking sensitive in-process data and enabling chained exploitation against the Chrome sandbox.
Affected Products
- Google Chrome versions prior to 146.0.7680.165
- Chrome on Microsoft Windows, Apple macOS, and Linux desktop
- Chromium-based browsers incorporating the vulnerable WebGL code
Discovery Timeline
- 2026-03-24 - CVE-2026-4675 published to the National Vulnerability Database (NVD)
- 2026-03-24 - Last updated in NVD database
- 2026-03 - Google releases fixed Chrome build 146.0.7680.165 via the Stable Channel Update for Desktop
Technical Details for CVE-2026-4675
Vulnerability Analysis
The vulnerability resides in Chrome's WebGL implementation, which exposes GPU rendering primitives to JavaScript running in the browser. WebGL allocates heap buffers to hold vertex, index, and texture data supplied by web content. A flaw in bounds checking allows JavaScript on a crafted page to instruct the WebGL pipeline to read past the end of an allocated heap buffer. The read occurs inside the renderer process, where adjacent heap memory may contain pointers, JavaScript object metadata, or other content from the same origin context.
An out-of-bounds heap read in a renderer is not a direct code execution primitive, but it is a strong building block. Attackers commonly combine such reads with a separate write or type-confusion bug to bypass Address Space Layout Randomization (ASLR) and stage a renderer compromise. From a compromised renderer, adversaries can then target sandbox escape vulnerabilities to reach the host operating system.
Root Cause
The root cause is a heap-based buffer overflow condition in WebGL where input parameters from JavaScript are not adequately validated against the size of the underlying heap allocation. The validation gap permits the GPU command processing path to dereference memory beyond the intended buffer boundary.
Attack Vector
Exploitation is network-based and requires user interaction. A victim must visit an attacker-controlled or compromised web page that hosts malicious WebGL JavaScript. No authentication is required. The attack scope is unchanged, but the renderer process can be coerced to expose heap contents to the attacker's script, which can then exfiltrate the data over the network. See the Chromium Issue Tracker entry for technical details.
Detection Methods for CVE-2026-4675
Indicators of Compromise
- Chrome renderer process crashes with heap corruption signatures originating from WebGL modules
- Outbound connections from browser processes to recently registered or low-reputation domains immediately after rendering WebGL content
- Unexpected child processes spawned by chrome.exe following navigation to untrusted sites
- Telemetry showing Chrome versions below 146.0.7680.165 still deployed across managed endpoints
Detection Strategies
- Inventory installed Chrome versions through endpoint management tooling and flag hosts below 146.0.7680.165
- Monitor renderer crash dumps in chrome_crashpad for stack frames inside WebGL or ANGLE components
- Correlate web proxy logs with browser process telemetry to identify pages that trigger renderer instability
- Hunt for JavaScript payloads invoking unusual sequences of WebGLRenderingContext calls against guest endpoints
Monitoring Recommendations
- Forward browser process and crash telemetry into a centralized data lake for retrospective hunting
- Track DNS and HTTPS connections initiated by renderer processes for anomalous destinations
- Alert on Chrome auto-update failures that leave endpoints stranded on vulnerable builds
How to Mitigate CVE-2026-4675
Immediate Actions Required
- Update Google Chrome to version 146.0.7680.165 or later on all Windows, macOS, and Linux endpoints
- Force-restart Chrome processes after the update so the patched binary is loaded into memory
- Audit Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and apply vendor updates that incorporate the upstream fix
- Restrict access to high-risk browsing categories on unpatched endpoints until remediation completes
Patch Information
Google addressed CVE-2026-4675 in the Chrome Stable channel build 146.0.7680.165. Administrators should consult the Stable Channel Update for Desktop advisory and verify rollout through enterprise management policies such as Chrome Browser Cloud Management or group policy.
Workarounds
- Disable WebGL via the chrome://flags/#disable-webgl setting or enterprise policy WebGLEnabled=false where business workflows permit
- Deploy site isolation and strict Content Security Policy (CSP) controls to limit exposure from untrusted origins
- Use browser extension controls to block JavaScript on untrusted domains for high-value users
# Configuration example: enforce Chrome update and disable WebGL via policy (Windows)
reg add "HKLM\Software\Policies\Google\Chrome" /v WebGLEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Policies\Google\Update\ChromeStable" /v UpdateDefault /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
