Description
Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Google Chrome incorporates a WebML engine that processes HTML content. A heap buffer overflow exists in versions prior to 146.0.7680.71, permitting an attacker to corrupt heap memory when a crafted HTML page is rendered. The overflow can potentially lead to arbitrary code execution or other destructive actions, as indicated by the chromium security severity assessment. The weakness is a classic heap–based buffer overflow and out‑of‑bounds write, matching CWE‑122 and CWE‑787.

Affected Systems

The flaw affects Google Chrome browsers for all major operating systems (Windows, macOS, Linux) and applies to any installation running a Chrome version older than 146.0.7680.71. Users of the Chrome stable channel before the March 2026 update are therefore at risk, while newer releases incorporate the patch.

Risk and Exploitability

The CVSS score of 8.8 marks this vulnerability as critical, though the EPSS score is listed as < 1%, implying a relatively low probability of widespread exploitation at present. The chromium security notes classify it as a remote attack that requires delivering a malicious HTML page to the victim’s browser; no privilege escalation is mentioned. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing immediate threat perception but not eliminating the risk.

Generated by OpenCVE AI on April 16, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.71 or a later release that contains the WebML fix.
  • If immediate upgrade is not possible, disable the WebML feature via the chrome://flags interface or Chrome Enterprise policy settings to block the vulnerable code path while the update is pending.
  • Configure Chrome to auto‑update and keep it current, and stay alert to further advisories or indicators of exploitation that may arise.

Generated by OpenCVE AI on April 16, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-787
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Heap buffer overflow in WebML
References
Metrics threat_severity

None

 threat_severity

Critical

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-122
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T03:55:29.929Z

Reserved: 2026-03-11T05:54:07.527Z

Link: CVE-2026-3913

cve-icon Vulnrichment

Updated: 2026-03-12T12:55:26.352Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:33.583

Modified: 2026-03-13T15:42:49.310

Link: CVE-2026-3913

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3913 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses