Description
Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential for remote code execution or data disclosure (inferred)
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an integer overflow in the WebML component of Google Chrome, allowing a crafted HTML page to overflow a buffer and corrupt heap memory. This flaw is mapped to CWE-190, an integer overflow, and CWE-472, an unsynchronized access to shared resources. When triggered, the attacker could potentially hijack program flow, leading to remote code execution or data disclosure (inferred).

Affected Systems

The issue affects Google Chrome versions prior to 146.0.7680.71 on all major operating systems, including Windows, macOS, and Linux, as the browser’s WebML implementation is cross‑platform.

Risk and Exploitability

With a CVSS score of 8.8 and an EPSS below 1 %, the exploit is considered high severity but low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and the attack vector is remote, requiring the victim to load a malicious webpage that contains the crafted content (inferred).

Generated by OpenCVE AI on April 16, 2026 at 09:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Chrome release that includes the patch (146.0.7680.71 or newer).
  • Ensure Chrome’s automatic update mechanism is enabled to receive future security fixes promptly.
  • Restrict or disable the WebML API in Chrome (e.g., by using the --disable-features=WebML flag or applying enterprise policy) until the patch is deployed.

Generated by OpenCVE AI on April 16, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-190
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Integer overflow in WebML
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-472
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T03:55:30.950Z

Reserved: 2026-03-11T05:54:07.937Z

Link: CVE-2026-3914

cve-icon Vulnrichment

Updated: 2026-03-12T12:58:05.200Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:33.713

Modified: 2026-03-13T15:42:54.950

Link: CVE-2026-3914

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3914 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses