Description
Use after free in WebMIDI in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Heap Corruption leading to Potential Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free bug in the WebMIDI implementation of Google Chrome versions prior to 146.0.7680.71 allows a malicious HTML page to trigger heap corruption. If successfully exploited, the attacker could gain remote code execution capabilities, compromising both the confidentiality and integrity of the affected system. The weakness is classified as CWE‑416.

Affected Systems

Google Chrome browsers older than the 146.0.7680.71 release run on macOS, Linux, and Windows operating systems. Users of any of these platforms who have not upgraded Chrome are potentially exposed.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. Although the EPSS score is under 1 %, meaning the likelihood of exploitation remains low, the absence of a known exploit in the CISA KEV catalog does not diminish the potential impact. Attackers can deliver a crafted web page remotely, so any device with an unpatched Chrome installation that visits untrusted sites is at risk.

Generated by OpenCVE AI on April 16, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chrome to version 146.0.7680.71 or later
  • If updating is delayed, disable the WebMIDI API in browser settings or through an extension to prevent unauthorized access
  • Restrict or monitor web traffic that could deliver malicious content to vulnerable browsers

Generated by OpenCVE AI on April 16, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 13 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in WebMIDI
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebMIDI in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T03:55:36.355Z

Reserved: 2026-03-11T05:54:10.642Z

Link: CVE-2026-3923

cve-icon Vulnrichment

Updated: 2026-03-12T13:13:00.704Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:34.860

Modified: 2026-03-13T15:42:16.763

Link: CVE-2026-3923

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3923 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses