Description
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Published: 2026-03-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Corruption and Potential Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A use‑after‑free bug exists in the WebView component of Google Chrome on Android. A malicious web page can trigger a heap corruption that may lead to arbitrary code execution. The vulnerability is identified as CWE‑416 and is scored as a CVSS 8.8, indicating high severity from a security perspective.

Affected Systems

The flaw affects Chrome browsers on Android prior to version 146.0.7680.71. Users of older Chrome builds on Android devices are at risk; other platforms are not affected by this specific issue.

Risk and Exploitability

The exploit requires the attacker to host or deliver a specially crafted HTML page to the victim’s Chrome WebView. Although the EPSS score is below 1% and the vulnerability is not in the CISA KEV catalog, the high CVSS score and remote nature make it a significant risk for enterprise environments that rely on Android Chrome for web content.

Generated by OpenCVE AI on March 17, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome on Android to version 146.0.7680.71 or later

Generated by OpenCVE AI on March 17, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Chrome WebView Enables Heap Corruption via Crafted HTML

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 12 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-13T03:55:40.613Z

Reserved: 2026-03-11T05:54:14.400Z

Link: CVE-2026-3936

cve-icon Vulnrichment

Updated: 2026-03-12T15:14:09.282Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T22:16:36.250

Modified: 2026-03-13T20:14:58.717

Link: CVE-2026-3936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:44Z

Weaknesses