A critical-severity heap buffer overflow buried inside Chrome's on-device AI engine can hand a remote attacker full code execution on your machine. The attack requires no user interaction beyond loading a web page. Chrome 146, released March 10, 2026, is the fix — and if your browser hasn't updated yet, the clock is ticking.
On March 10, 2026, Google pushed Chrome version 146 to the stable channel for Windows, macOS, and Linux. The release resolved 29 tracked security vulnerabilities. One of them — CVE-2026-3913 — earned a "Critical" severity rating from Google's security team. That designation is not handed out freely. In the context of a browser, it typically means a remote attacker can achieve arbitrary code execution on a victim machine without requiring any file download, plugin installation, or elevated privilege. The attack surface is a single crafted HTML page.
The vulnerability sits inside Chrome's WebML component — the browser's built-in layer for running machine learning inference directly on a user's device. Understanding why that particular component exists, and why it carries memory-corruption risk, is essential to grasping the full weight of this flaw.
What WebML Is and Why It Became a Target
WebML is not a third-party plugin or an obscure experimental API. It is Chrome's native framework for on-device AI processing, standardized under the W3C Web Machine Learning Working Group and shipped as part of the browser's core. The component powers a growing family of browser-native capabilities: the Translator API, the Summarizer API, the Writer and Rewriter APIs, and the broader Prompt API that connects web pages to Gemini Nano — Google's lightweight on-device language model.
The premise is compelling from a privacy and performance standpoint. When inference runs on the user's own hardware, data never leaves the device. There is no network round-trip, no per-token cloud billing, and no dependency on an external API being available. For developers building AI-assisted features into web applications — autocomplete, real-time summarization, language translation — the economics are dramatically better than cloud-hosted alternatives.
"AI inference on the web is available today across a large section of devices, and AI processing can happen in the web page itself, leveraging the hardware on the user's device." — Chrome for Developers, Google
But that same architectural reality — a browser component that performs intensive, low-level memory operations to process tensor computations, model weights, and inference pipelines — creates exactly the kind of attack surface that researchers and threat actors look for. WebML sits at the boundary between JavaScript executed by a webpage and native code running on the host system. Any memory management error in that boundary layer can be catastrophic. That is where CVE-2026-3913 lives.
The W3C's formal adoption of WebML APIs such as the Translator and Summarizer APIs signals that this component is only going to grow in scope and adoption. As Chrome for Developers' documentation notes, several of the built-in AI APIs are already available in Chrome stable and origin trials. Greater adoption means a larger installed base of potentially vulnerable users when flaws emerge — and a more attractive target for researchers and attackers alike.
How the Vulnerability Works
The official CVE description, published by MITRE on March 11, 2026, states: "Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)"
A heap buffer overflow is a specific class of memory corruption flaw. When a program allocates a block of memory on the heap to store data, it assigns that block a fixed size. A heap buffer overflow occurs when the program writes more data into that block than the allocated size permits. The excess data spills into adjacent memory regions, overwriting whatever was stored there.
In a controlled exploit, an attacker does not allow this overflow to crash the program randomly. Instead, they craft the input with precision — overwriting specific heap metadata, function pointers, or object structures in a way that redirects program execution to attacker-controlled code. When that code runs inside a browser process that has access to the user's filesystem, network stack, and system resources, the attacker effectively controls the machine.
What makes this particular flaw especially dangerous is the delivery mechanism. There is no executable file to download. There is no Office macro to enable. There is no social engineering step beyond a link or a redirect. The attacker simply needs the victim to load an HTML page. That page triggers the WebML component with a carefully sized payload, the heap overflow occurs inside the renderer process, and if exploitation succeeds, the attacker's code runs.
Google's own advisory confirms that the attack vector is a crafted HTML page. The technical specifics of exactly how the overflow is triggered — which WebML operation is affected, what data structure is overflowed, and what the precise memory layout must look like for reliable exploitation — have been intentionally withheld pending wider patch adoption. That is standard practice for responsible vulnerability disclosure, and it is the right call.
If your Chrome version is below 146.0.7680.71 (Linux) or 146.0.7680.71 / 146.0.7680.72 (Windows and macOS), you are exposed to CVE-2026-3913. Open Chrome, go to the three-dot menu, select Help → About Google Chrome, and allow the update to install. Restart the browser when prompted. The update takes less than two minutes.
The Chrome 146 Patch: Scope and Scale
CVE-2026-3913 is the headline item in the Chrome 146 release, but it sits inside a much larger patch drop. Google resolved 29 security vulnerabilities in this update, covering a wide range of browser components. The severity distribution across those 29 fixes was: 1 Critical, 11 High, 11 Medium, and 5 Low. Of the 29 total fixes, 25 were assigned public CVE identifiers. The remaining four were internal Google findings that did not require external disclosure.
| CVE | Severity | Component | Type | Bounty |
|---|---|---|---|---|
| CVE-2026-3913 | Critical | WebML | Heap Buffer Overflow | $33,000 |
| CVE-2026-3914 | High | WebML | Memory Corruption | $43,000 |
| CVE-2026-3915 | High | WebML | Memory Corruption | $43,000 |
| CVE-2026-3916 | High | Web Speech | Out-of-Bounds Read | — |
| CVE-2026-3917 | High | Agents | Use-After-Free | — |
| CVE-2026-3918 | High | WebMCP | Use-After-Free | — |
| CVE-2026-3919 | High | Extensions | Use-After-Free | — |
| CVE-2026-3921–3924 | High | TextEncoding, MediaStream, WebMIDI, WindowDialog | Use-After-Free | — |
A pattern worth noting: use-after-free (UAF) vulnerabilities dominate the high-severity tier of this release. A UAF flaw occurs when a program holds a reference (a pointer) to a block of memory after that memory has been freed and potentially reallocated for something else. When the stale pointer is later used to read or write, the program is operating on data it does not own. Attackers routinely chain UAF bugs with other techniques to break out of browser security sandboxes — the isolation layer that is supposed to prevent renderer-process compromises from reaching the host operating system.
The presence of UAF bugs across components as varied as Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, and WindowDialog illustrates that memory management errors are not isolated to any single subsystem. They are a structural challenge in writing complex, high-performance C++ software at browser scale.
What the Bounty Numbers Reveal
Google awarded $33,000 to security researcher Tobias Wienand for discovering and responsibly disclosing CVE-2026-3913. Wienand reported the flaw on February 10, 2026 — exactly 28 days before the patch shipped in Chrome 146. That turnaround reflects well on Google's internal response process.
The $33,000 figure itself is significant. Google's Vulnerability Reward Program tiers payouts based on impact. A Critical-rated remote code execution vulnerability in a widely deployed component commands a premium. But the WebML component drew even larger rewards for its two high-severity companions: CVE-2026-3914 and CVE-2026-3915 each earned $43,000, making WebML the single most financially rewarded component in this entire patch cycle. Combined, the three WebML bugs generated $119,000 in researcher payouts from one update.
"The WebML component — Chrome's built-in layer for running on-device AI inference — appears four times across the critical and high tiers, suggesting the API's attack surface is drawing serious scrutiny as its adoption grows." — pbxscience.com
Bug bounty payouts function as a rough proxy for perceived impact and exploitability. When researchers and Google's internal reviewers both assign high value to bugs in a specific component, that signals the component is both widely targeted and carries real exploitation potential. The concentration of high-value bugs in WebML across a single release cycle is a data point that should concern any security team responsible for managing a Chrome fleet.
In total, Google paid out well over $150,000 in combined bug bounties to independent researchers for the vulnerabilities addressed in Chrome 146 — one of the larger single-release payout totals in recent browser security history.
Why Google Is Withholding Technical Details
Google's official advisory states that access to specific bug details and exploit links is restricted until a majority of Chrome users have installed the fix. This is a deliberate and responsible policy, and understanding its logic matters for anyone trying to assess their own risk window.
When a patch ships, it contains the fix but also — implicitly — a hint about what was broken. A skilled reverse engineer can compare the patched binary against the unpatched version, isolate the changed code, and reconstruct what the original vulnerability looked like. This process, called patch diffing, typically takes anywhere from a few hours to a few days depending on complexity. Once that analysis is complete, it can be weaponized.
Chrome's update mechanism is not instantaneous. Google stages rollouts across its user base over days to weeks, partly to catch regressions before they reach everyone. That means a window exists between the moment a patch is public and the moment the typical Chrome installation has received it. By withholding precise technical details during that window, Google increases the practical cost of weaponizing the bug — buying time for the installed base to update.
As of March 18, 2026, Google has not reported any confirmed in-the-wild exploitation of CVE-2026-3913. That status can change, and the absence of confirmed exploitation does not mean the vulnerability is not being actively studied by threat actors. Patch without delay.
The no-exploitation-confirmed status is meaningful context but should not breed complacency. Critical browser vulnerabilities with clean remote-code-execution primitives attract well-resourced threat actors — ranging from cybercriminal groups seeking financial gain to state-sponsored operators pursuing espionage objectives. The gap between "no confirmed exploitation" and "active exploitation in the wild" can close quickly once technical details circulate.
Microsoft Edge and Chromium-Based Browsers
CVE-2026-3913 was assigned by Chrome and affects the Chromium engine, which Microsoft Edge ingests as its core rendering layer. Microsoft has confirmed that Edge will address this vulnerability through its own Chromium update intake process. Users of Edge and other Chromium-based browsers — including Brave, Vivaldi, and Opera — should verify that their browsers have received the corresponding Chromium 146 update or the equivalent patched build from their respective vendors.
Chrome's Accelerating Patch Cadence
Alongside the Chrome 146 security release, Google announced a structural change to its stable update cycle: the cadence is moving from four weeks to two weeks. The full transition to the two-week rhythm is expected to complete by autumn 2026. For security operations teams, this means faster patch availability — but also a faster drumbeat of update management obligations. Vulnerability tracking and patch deployment workflows that assumed a monthly cycle will need recalibration.
Key Takeaways and What To Do Now
- Update Chrome immediately. The fix is in Chrome 146.0.7680.71 (Linux) and 146.0.7680.71/72 (Windows and macOS). Navigate to Help → About Google Chrome to force a check and install the update. A browser restart is required to apply the patch.
- WebML is a growing attack surface. Chrome's on-device AI component appeared four times across the critical and high-severity tiers in a single patch cycle. As WebML adoption expands and the API surface grows, expect continued researcher and attacker attention. Security teams should treat this component as a recurring area of concern, not a one-time event.
- Use-after-free bugs are epidemic in this release. The eleven high-severity CVEs in Chrome 146 are dominated by UAF flaws spread across a wide range of browser subsystems. UAF vulnerabilities are the primary technique used to break browser sandboxes. A single UAF can be difficult to exploit in isolation; chained with another memory corruption bug, it becomes a sandbox escape primitive.
- Patch diffing means your window is narrow. Even without Google's official technical disclosure, skilled reverse engineers can reconstruct exploit details from the patched binary. Once Chrome 146 is widely distributed, those details will circulate. Organizations managing large Chrome fleets should prioritize deployment speed over testing cycles for Critical-rated browser updates.
- Chromium-based browsers are also affected. Edge, Brave, Vivaldi, and other Chromium derivatives all share this attack surface. Ensure vendor update policies are aligned with the underlying Chromium patching timeline, not just the vendor's own release schedule.
CVE-2026-3913 is a textbook example of why browser security demands constant attention. The attack surface is not static — it grows every time a new capability like WebML is added to the browser's core. The performance and privacy benefits of on-device AI inference are real and legitimate. So is the corresponding obligation to audit the low-level code that implements those features with the same rigor applied to any other memory-unsafe component running at browser-process privilege. One crafted web page is all it takes. Update now.
Sources: Google Chrome Releases Blog — NVD CVE-2026-3913 — Cyber Security News — PBX Science — Chrome for Developers — Built-in AI