CVE-2026-3914
Published: 11 March 2026
Summary
CVE-2026-3914 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer overflow vulnerability by requiring timely patching of Google Chrome to version 146.0.7680.71 or later.
Provides memory safeguards such as ASLR and DEP to mitigate heap corruption exploitation leading to arbitrary code execution.
Enforces validation of untrusted HTML inputs to WebML to prevent integer overflows from crafted web parameters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in Chrome WebML enables heap corruption/RCE via crafted HTML page delivered through malicious site visit (drive-by) or direct client app exploitation.
NVD Description
Integer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3914 is an integer overflow vulnerability in the WebML component of Google Chrome prior to version 146.0.7680.71. The flaw allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. It maps to CWE-190 (Integer Overflow or Wraparound) and CWE-472 (External Control of Assumed-Immutable Web Parameter), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as High severity by Chromium security.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website, requiring no privileges but relying on user interaction. Successful exploitation enables heap corruption, potentially leading to arbitrary code execution with high impacts on confidentiality, integrity, and availability.
Google addressed the issue in the stable channel update for Desktop Chrome to version 146.0.7680.71, as announced in the Chrome Releases blog post dated March 2026. Additional details are available in the Chromium issue tracker entry at issues.chromium.org/issues/481776048.
This vulnerability affects WebML, the web standard for machine learning model execution in browsers, highlighting risks in emerging AI/ML web features. No public reports of real-world exploitation are noted as of the CVE publication on 2026-03-11.
Details
- CWE(s)