CVE-2026-3936
Published: 11 March 2026
Summary
CVE-2026-3936 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in Chrome WebView by requiring timely identification, testing, and deployment of patches such as version 146.0.7680.71.
Implements memory protection mechanisms like ASLR and non-executable memory to prevent unauthorized code execution from heap corruption caused by the use-after-free flaw.
Enforces process isolation through sandboxing to contain potential exploitation of the WebView heap corruption within the browser process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free vulnerability in Chrome WebView is exploited via a crafted HTML page on a malicious site requiring user interaction, directly enabling drive-by compromise (T1189) for initial access and exploitation for client execution (T1203).
NVD Description
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-3936 is a use-after-free vulnerability (CWE-416) in the WebView component of Google Chrome on Android versions prior to 146.0.7680.71. The flaw enables a remote attacker to potentially exploit heap corruption by means of a crafted HTML page. Chromium security severity is rated as Medium, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker without privileges can exploit this vulnerability over the network with low attack complexity, though it requires user interaction, such as visiting a malicious site. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing heap corruption that leads to arbitrary code execution or other severe effects within the affected browser context.
Google has mitigated this issue in Chrome for Android version 146.0.7680.71 and later. Additional details on the patch and stable channel update are available in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html and the Chromium issue tracker at https://issues.chromium.org/issues/481920229.
Details
- CWE(s)