CVE-2026-3918
Published: 11 March 2026
Summary
CVE-2026-3918 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3918 is a use-after-free vulnerability (CWE-416) in the WebMCP component of Google Chrome prior to version 146.0.7680.71. This flaw enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.
A remote attacker can exploit this vulnerability over the network with low attack complexity and no required privileges, though it requires user interaction such as visiting a malicious webpage. Successful exploitation could result in high impacts to confidentiality, integrity, and availability through heap corruption.
Google's stable channel update for Chrome desktop, announced at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html, addresses this issue in version 146.0.7680.71 and later. Additional details are available in the Chromium bug tracker at https://issues.chromium.org/issues/483853103.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11428
Vulnerability details
Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free vulnerability in Google Chrome exploited via crafted HTML page requiring user interaction to visit a malicious webpage, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching of the specific use-after-free vulnerability in Chrome's WebMCP component as released in version 146.0.7680.71.
Provides memory boundary protections such as ASLR and DEP that directly mitigate use-after-free heap corruption exploits.
Deploys malicious code protection tools capable of scanning and blocking crafted HTML pages exploiting the WebMCP vulnerability.