CVE-2026-3936

High

Published: 11 March 2026

Published

11 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability in Chrome WebView by requiring timely identification, testing, and deployment of patches such as version 146.0.7680.71.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and non-executable memory to prevent unauthorized code execution from heap corruption caused by the use-after-free flaw.

SC-39 Process Isolation partial match

prevent

Enforces process isolation through sandboxing to contain potential exploitation of the WebView heap corruption within the browser process.

Security SummaryAI

CVE-2026-3936 is a use-after-free vulnerability (CWE-416) in the WebView component of Google Chrome on Android versions prior to 146.0.7680.71. The flaw enables a remote attacker to potentially exploit heap corruption by means of a crafted HTML page. Chromium security severity is rated as Medium, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this vulnerability over the network with low attack complexity, though it requires user interaction, such as visiting a malicious site. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing heap corruption that leads to arbitrary code execution or other severe effects within the affected browser context.

Google has mitigated this issue in Chrome for Android version 146.0.7680.71 and later. Additional details on the patch and stable channel update are available in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html and the Chromium issue tracker at https://issues.chromium.org/issues/481920229.

Details

CWE(s): CWE-416

Affected Products

google

chrome

≤ 146.0.7680.71

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The use-after-free vulnerability in Chrome WebView is exploited via a crafted HTML page on a malicious site requiring user interaction, directly enabling drive-by compromise (T1189) for initial access and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/481920229
Permissions Required · chrome-cve-admin@google.com