CVE-2026-3918
Published: 11 March 2026
Description
Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the specific use-after-free vulnerability in Chrome's WebMCP component as released in version 146.0.7680.71.
Provides memory boundary protections such as ASLR and DEP that directly mitigate use-after-free heap corruption exploits.
Deploys malicious code protection tools capable of scanning and blocking crafted HTML pages exploiting the WebMCP vulnerability.
Security SummaryAI
CVE-2026-3918 is a use-after-free vulnerability (CWE-416) in the WebMCP component of Google Chrome prior to version 146.0.7680.71. This flaw enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
A remote attacker can exploit this vulnerability over the network with low attack complexity and no required privileges, though it requires user interaction such as visiting a malicious webpage. Successful exploitation could result in high impacts to confidentiality, integrity, and availability through heap corruption.
Google's stable channel update for Chrome desktop, announced at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html, addresses this issue in version 146.0.7680.71 and later. Additional details are available in the Chromium bug tracker at https://issues.chromium.org/issues/483853103.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free vulnerability in Google Chrome exploited via crafted HTML page requiring user interaction to visit a malicious webpage, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).