Description
Use after free in MediaStream in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free bug in Chrome’s MediaStream implementation can corrupt the heap, allowing an attacker to execute arbitrary code when a user visits a crafted web page.

Affected Systems

Google Chrome browsers prior to version 146.0.7680.71 on all major operating systems – Windows, macOS, Linux – are affected. The vulnerability is specific to the Chromium‑based Chrome rendering engine.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high severity. The EPSS score is below 1 %, suggesting that historic exploitation has been limited and it does not appear in the CISA KEV catalog. Attack vectors require a remote attacker to deliver a malicious HTML page that exploits the media‑stream path; thus the risk is contingent on user interaction with compromised or malicious sites.

Generated by OpenCVE AI on April 16, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 146.0.7680.71 or later on all affected systems.
  • If an immediate update is not possible, restrict or disable the getUserMedia API on the browser, for example by using site‑specific flags or extensions that block media stream access for untrusted origins.
  • Maintain strict control over websites accessed from corporate networks; employ web filtering and user awareness programs to reduce exposure to malicious web content.

Generated by OpenCVE AI on April 16, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in MediaStream
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Use after free in MediaStream in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T03:55:35.609Z

Reserved: 2026-03-11T05:54:10.393Z

Link: CVE-2026-3922

cve-icon Vulnrichment

Updated: 2026-03-12T13:12:12.793Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:34.733

Modified: 2026-03-13T15:42:22.127

Link: CVE-2026-3922

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3922 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses