CVE-2026-3921

High

Published: 11 March 2026

Published

11 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in TextEncoding in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation ensures application of the Chrome 146.0.7680.71 patch to directly fix the use-after-free vulnerability in TextEncoding.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms like ASLR and DEP directly mitigate heap corruption resulting from the use-after-free in Chrome's TextEncoding component.

SC-39 Process Isolation good match

prevent

Process isolation sandboxes the Chrome renderer process to limit the impact of heap corruption exploits triggered by crafted HTML pages.

Security SummaryAI

CVE-2026-3921 is a use-after-free vulnerability (CWE-416) in the TextEncoding component of Google Chrome prior to version 146.0.7680.71. Published on 2026-03-11, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this by luring a user to interact with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially leading to heap corruption and arbitrary code execution within the browser's renderer process.

Google addressed this in Chrome stable channel version 146.0.7680.71. For mitigation details, refer to the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html and the Chromium issue tracker at https://issues.chromium.org/issues/484946544.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 146.0.7680.71

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The use-after-free vulnerability in Chrome's TextEncoding component enables arbitrary code execution in the browser's renderer process via a crafted HTML page, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/484946544
Permissions Required · chrome-cve-admin@google.com