CVE-2026-3931
Published: 11 March 2026
Summary
CVE-2026-3931 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the known heap buffer overflow flaw through patching Chrome to version 146.0.7680.71 or later.
Implements memory protection mechanisms like ASLR, DEP, and heap hardening to prevent successful exploitation of the heap-based buffer overflow leading to out-of-bounds access.
Enforces process isolation via browser sandboxing to contain potential exploitation of the Skia renderer process, limiting impact even if the buffer overflow succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Chrome's Skia library enables arbitrary code execution via crafted HTML on a malicious website, directly mapping to Drive-by Compromise (T1189) for initial access and Exploitation for Client Execution (T1203) for payload delivery.
NVD Description
Heap buffer overflow in Skia in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-3931 is a heap buffer overflow vulnerability in the Skia graphics library within Google Chrome prior to version 146.0.7680.71. The flaw enables out-of-bounds memory access when processing a crafted HTML page. It maps to CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and a Chromium security severity rating of Medium.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website, requiring no privileges or special access. Exploitation over the network has low complexity but depends on user interaction. Successful attacks could achieve high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution or memory corruption.
Google's stable channel update addresses the issue in Chrome 146.0.7680.71 and later versions, as announced in the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html. Further technical details are documented in the Chromium issue tracker at https://issues.chromium.org/issues/417599694.
Details
- CWE(s)