CVE-2026-3926
Published: 11 March 2026
Summary
CVE-2026-3926 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of known flaws like the V8 out-of-bounds read vulnerability through patching to Chrome 146.0.7680.71 or later.
Implements memory protection controls such as address space layout randomization and data execution prevention to minimize out-of-bounds read exploits in the V8 JavaScript engine.
Requires vulnerability scanning to identify and prioritize the CVE-2026-3926 flaw in deployed Chrome instances for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in V8 JS engine via crafted HTML page directly enables drive-by compromise through malicious website visits (T1189) and exploitation of client application for code execution/info disclosure (T1203).
NVD Description
Out of bounds read in V8 in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-3926 is an out-of-bounds read vulnerability (CWE-125) in the V8 JavaScript engine within Google Chrome prior to version 146.0.7680.71. Published on 2026-03-11, it enables a remote attacker to perform out-of-bounds memory access via a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security standards.
A remote attacker without privileges can exploit this vulnerability by luring a user to visit a malicious website hosting the crafted HTML page, requiring user interaction such as clicking or rendering the content. The low attack complexity allows exploitation over the network, potentially resulting in high confidentiality, integrity, and availability impacts, including information disclosure, code execution, or denial of service through arbitrary memory access.
Mitigation is available via the Google Chrome stable channel update for desktop, which patches the flaw in version 146.0.7680.71 and later, as announced at chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html. Further technical details are documented in the Chromium issue tracker at issues.chromium.org/issues/478659010. Security practitioners should prioritize updating affected Chrome installations.
Details
- CWE(s)