CVE-2026-3913: Google Chrome WebML Buffer Overflow Flaw

CVE-2026-3913 Overview

A heap buffer overflow vulnerability exists in the WebML component of Google Chrome prior to version 146.0.7680.71. This critical security flaw allows a remote attacker to potentially exploit heap corruption through a crafted HTML page, which could lead to arbitrary code execution in the context of the browser process.

Critical Impact
Remote attackers can trigger heap corruption via malicious web content, potentially achieving code execution without requiring user authentication—only user interaction with a crafted webpage.

Affected Products

Google Chrome versions prior to 146.0.7680.71
Chromium-based browsers using vulnerable WebML implementation
Any platform running affected Chrome versions (Windows, macOS, Linux)

Discovery Timeline

2026-03-11 - CVE-2026-3913 published to NVD
2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-3913

Vulnerability Analysis

This vulnerability is classified as CWE-122 (Heap-based Buffer Overflow), which occurs when data is written beyond the boundaries of allocated heap memory. In the context of WebML—Chrome's implementation for machine learning inference in the browser—the overflow can be triggered when processing specially crafted HTML content that invokes WebML APIs with malformed or unexpected input data.

The heap corruption resulting from this overflow can have severe consequences, including modification of adjacent heap structures, corruption of object metadata, and ultimately the potential for arbitrary code execution. Since this vulnerability is exploitable via a crafted HTML page, any user visiting a malicious website or viewing compromised web content could be affected.

Root Cause

The root cause stems from improper bounds checking in the WebML component when handling input data. WebML processes tensor data and model parameters that require careful memory management. When the component allocates heap buffers for these operations, insufficient validation of input dimensions or data sizes allows an attacker to supply values that cause writes beyond the allocated buffer boundaries.

This type of memory corruption vulnerability is particularly dangerous in browser contexts because:

Browsers execute untrusted code from arbitrary websites
Modern exploitation techniques can leverage heap corruption for reliable code execution
WebML processing involves complex data structures that increase attack surface

Attack Vector

The attack is network-based and requires user interaction—specifically, the victim must navigate to or be redirected to a webpage containing the malicious HTML content. The attacker crafts an HTML page that invokes WebML functionality with parameters designed to trigger the heap overflow. This could be delivered through:

Direct links to attacker-controlled websites
Compromised legitimate websites (watering hole attacks)
Malicious advertisements (malvertising)
Embedded content in emails or documents

Once the victim's browser renders the malicious page, the WebML component processes the crafted content, triggering the heap buffer overflow. Successful exploitation could allow the attacker to execute arbitrary code with the privileges of the Chrome browser process.

Detection Methods for CVE-2026-3913

Indicators of Compromise

Unusual Chrome process crashes, particularly those involving memory corruption or heap errors
Browser crash reports referencing WebML or machine learning components
Suspicious network traffic to unknown domains immediately before browser crashes
Evidence of code execution from browser process memory regions

Detection Strategies

Monitor browser version deployments and flag systems running Chrome versions prior to 146.0.7680.71
Implement endpoint detection rules for unusual Chrome renderer process behavior
Deploy network-based detection for HTML content containing suspicious WebML API calls
Enable Chrome crash reporting and monitor for heap corruption signatures

Monitoring Recommendations

Centralize Chrome crash dump collection and analysis for early detection of exploitation attempts
Monitor for unusual child process spawning from Chrome browser processes
Implement browser telemetry to track WebML feature usage across the organization
Review web proxy logs for access to known malicious domains or suspicious redirect chains

How to Mitigate CVE-2026-3913

Immediate Actions Required

Update Google Chrome to version 146.0.7680.71 or later immediately across all managed endpoints
Verify automatic updates are functioning correctly on all systems
Consider temporarily blocking or restricting access to untrusted websites until patching is complete
Ensure endpoint protection solutions are updated with latest detection signatures

Patch Information

Google has released Chrome version 146.0.7680.71 which addresses this vulnerability. The update was announced via the Chrome Releases Blog. Additional technical details can be found in the Chromium Issue Tracker.

Organizations should prioritize deployment of this update given the critical severity rating and the potential for remote code execution. Chrome's automatic update mechanism should handle most consumer deployments, but enterprise environments may require manual intervention through management tools.

Workarounds

If immediate patching is not possible, consider using browser isolation technologies to contain potential exploitation
Implement strict content security policies (CSP) to limit execution of untrusted scripts
Deploy web filtering to block access to known malicious sites and suspicious content categories
Consider temporarily disabling hardware acceleration or WebML-dependent features if supported by enterprise policies

bash

# Verify Chrome version on endpoints
google-chrome --version
# Expected output should show 146.0.7680.71 or higher

# Force Chrome update check (Linux example)
google-chrome --check-for-update-interval=0

# Enterprise: Query Chrome version via registry (Windows)
reg query "HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon" /v version