CVE-2026-3923

High

Published: 11 March 2026

Published

11 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in WebMIDI in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the use-after-free flaw in Chrome's WebMIDI via software updates to version 146.0.7680.71 or later.

SI-16 Memory Protection good match

prevent

Implements memory protections like ASLR and DEP to prevent exploitation of heap corruption from use-after-free in the renderer process.

SC-39 Process Isolation good match

prevent

Provides process isolation through browser sandboxing to contain potential arbitrary code execution in the compromised WebMIDI renderer process.

Security SummaryAI

CVE-2026-3923 is a use-after-free vulnerability (CWE-416) in the WebMIDI component of Google Chrome prior to version 146.0.7680.71. Published on 2026-03-11, it enables potential heap corruption via a crafted HTML page, as reported with High severity by the Chromium security team. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability without requiring user privileges by luring victims to interact with a malicious HTML page. Successful exploitation could lead to heap corruption, granting high impacts on confidentiality, integrity, and availability, such as potential arbitrary code execution within the browser's renderer process.

Mitigation is available through the Google Chrome stable channel update to version 146.0.7680.71 or later, as detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html. Additional technical details are provided in the Chromium issue tracker at https://issues.chromium.org/issues/485935314. Security practitioners should prioritize updating affected Chrome installations.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 146.0.7680.71

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability in Chrome's WebMIDI component exploited via crafted HTML page requiring user interaction, enabling arbitrary code execution in the renderer process, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/485935314
Permissions Required · chrome-cve-admin@google.com