CVE-2026-3917

High

Published: 11 March 2026

Published

11 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Agents in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability by requiring timely identification, reporting, and correction via the Chrome patch to version 146.0.7680.71.

SI-16 Memory Protection good match

prevent

Implements security safeguards such as ASLR and DEP to protect against unauthorized code execution due to memory address misuse like use-after-free leading to heap corruption.

SC-39 Process Isolation good match

prevent

Enforces process isolation through browser sandboxing to contain potential exploitation of heap corruption within isolated processes.

Security SummaryAI

CVE-2026-3917 is a use-after-free vulnerability (CWE-416) affecting the Agents component in Google Chrome prior to version 146.0.7680.71. This flaw enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

A remote attacker without privileges can exploit this vulnerability over the network with low attack complexity, though it requires user interaction, such as convincing a user to visit a malicious website. Successful exploitation could lead to heap corruption, potentially allowing arbitrary code execution with high impacts on confidentiality, integrity, and availability.

Google addressed this vulnerability in Chrome version 146.0.7680.71. Practitioners should advise users to update immediately. Further details are provided in the Chrome stable channel update at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html and the Chromium issue tracker at https://issues.chromium.org/issues/483569512.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 146.0.7680.71

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability in Chrome exploited via crafted HTML page enables remote code execution through client-side exploitation (T1203) and drive-by compromise by luring users to malicious websites (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/483569512
Permissions Required · chrome-cve-admin@google.com