Cyber Posture

CVE-2026-3921

High

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3921 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation ensures application of the Chrome 146.0.7680.71 patch to directly fix the use-after-free vulnerability in TextEncoding.

SI-16 Memory Protection good match
prevent

Memory protection mechanisms like ASLR and DEP directly mitigate heap corruption resulting from the use-after-free in Chrome's TextEncoding component.

SC-39 Process Isolation good match
prevent

Process isolation sandboxes the Chrome renderer process to limit the impact of heap corruption exploits triggered by crafted HTML pages.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The use-after-free vulnerability in Chrome's TextEncoding component enables arbitrary code execution in the browser's renderer process via a crafted HTML page, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Use after free in TextEncoding in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-3921 is a use-after-free vulnerability (CWE-416) in the TextEncoding component of Google Chrome prior to version 146.0.7680.71. Published on 2026-03-11, it enables a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium rates its security severity as High, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this by luring a user to interact with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially leading to heap corruption and arbitrary code execution within the browser's renderer process.

Google addressed this in Chrome stable channel version 146.0.7680.71. For mitigation details, refer to the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html and the Chromium issue tracker at https://issues.chromium.org/issues/484946544.

Details

CWE(s)
CWE-416

Affected Products

google
chrome
≤ 146.0.7680.71

CVEs Like This One

CVE-2025-13638Same product: Apple Macos
CVE-2026-7348Same product: Apple Macos
CVE-2025-8578Same product: Apple Macos
CVE-2026-7338Same product: Apple Macos
CVE-2026-7940Same product: Apple Macos
CVE-2026-3919Same product: Apple Macos
CVE-2025-14765Same product: Apple Macos
CVE-2026-2321Same product: Apple Macos
CVE-2025-11460Same product: Apple Macos
CVE-2026-3923Same product: Apple Macos

References