Cyber Resilience

CVE-2026-3921

High

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0027 18.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3921 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3921 is a use-after-free vulnerability (CWE-416) in the TextEncoding component of Google Chrome prior to version 146.0.7680.71. Published on 2026-03-11, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this by luring a user to interact with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially leading to heap corruption and arbitrary code execution within the browser's renderer process.

Google addressed this in Chrome stable channel version 146.0.7680.71. For mitigation details, refer to the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html and the Chromium issue tracker at https://issues.chromium.org/issues/484946544.

EU & UK References

Vulnerability details

Use after free in TextEncoding in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The use-after-free vulnerability in Chrome's TextEncoding component enables arbitrary code execution in the browser's renderer process via a crafted HTML page, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7349Same product: Apple Macos
CVE-2026-7347Same product: Apple Macos
CVE-2025-13638Same product: Apple Macos
CVE-2026-9957Same product: Apple Macos
CVE-2026-9927Same product: Apple Macos
CVE-2026-7348Same product: Apple Macos
CVE-2025-11756Same product: Apple Macos
CVE-2026-7940Same product: Apple Macos
CVE-2025-14765Same product: Apple Macos
CVE-2025-8578Same product: Apple Macos

Affected Assets

google
chrome
≤ 146.0.7680.71

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation ensures application of the Chrome 146.0.7680.71 patch to directly fix the use-after-free vulnerability in TextEncoding.

prevent

Memory protection mechanisms like ASLR and DEP directly mitigate heap corruption resulting from the use-after-free in Chrome's TextEncoding component.

prevent

Process isolation sandboxes the Chrome renderer process to limit the impact of heap corruption exploits triggered by crafted HTML pages.

References