Description
Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free condition within the WebMCP component of Google Chrome. A malicious web page can trigger a heap corruption, which may allow the attacker to execute arbitrary code or crash the browser. The weakness is classified as CWE‑416 and is positioned as a high‑severity issue. The impact would cover confidentiality and integrity of data accessed by the browser and could elevate local processes to higher privileges if the attacker gains control of the heap.

Affected Systems

Google:Chrome versions earlier than 146.0.7680.71 are affected by this use‑after‑free flaw. The vulnerability is present on all operating systems supported by Chrome, including macOS, Linux, and Windows, as indicated by the associated CPE entries.

Risk and Exploitability

The CVSS score of 8.8 marks this flaw as a high‑risk vulnerability. The EPSS score is reported as less than 1%, suggesting that current exploit activity is low but not nonexistent. The vulnerability is not listed in the CISA KEV catalog, indicating that no public exploits have been documented yet. The attack vector appears to be a remote crafted HTML page loaded in the browser, meaning that any user visiting a malicious site could be at risk. The exploitation requires no special user interaction beyond rendering the page, making it a straightforward remote attack scenario.

Generated by OpenCVE AI on April 16, 2026 at 09:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.71 or later to obtain the official patch that removes the use‑after‑free condition.
  • Enable automatic updates for Google Chrome to ensure that the latest security patches are applied without manual intervention.
  • As a temporary measure, launch Chrome with the flag `--disable-features=WebMCP` or configure the Chrome policy to block WebM decoding, thereby disabling the vulnerable component until a patch is available.

Generated by OpenCVE AI on April 16, 2026 at 09:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in WebMCP
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T03:55:32.487Z

Reserved: 2026-03-11T05:54:09.323Z

Link: CVE-2026-3918

cve-icon Vulnrichment

Updated: 2026-03-12T19:27:23.032Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:34.243

Modified: 2026-03-13T15:43:17.190

Link: CVE-2026-3918

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3918 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses