CVE-2026-3921: How Edge Patch Solves Chromium TextEncoding Use-After-Free

Chromium’s recent CVE-2026-3921 — a use‑after‑free bug in the TextEncoding component — landed in the headlines not because Google’s Chrome team wanted extra attention, but because Microsoft lists the CVE in its Security Update Guide to tell enterprise and consumer users one simple, crucial fact: the latest Microsoft Edge builds that include the Chromium fix are no longer vulnerable. This article explains exactly what that means, why Microsoft publishes Chrome-assigned CVEs in its guide, how to confirm whether your browser is patched, what the technical risk is, and practical guidance for both home users and IT teams to neutralize this class of vulnerabilities quickly and reliably.

Background / Overview​

Chromium is an open‑source browser engine and codebase that powers a wide range of browsers, including Google Chrome and Microsoft Edge (the Chromium‑based Edge). When Google assigns a CVE to a Chromium component and ships a fix in a Chrome stable release, browser vendors that consume Chromium must pull that change into their own builds and ship updates to their users. Microsoft’s Security Update Guide (SUG) documents those CVEs — even when the root issue is in upstream Chromium — to inform customers that Microsoft Edge has ingested the patch and that particular Edge versions are not vulnerable.
In March 2026, Google released a stable Chrome update (Chrome 146.0.7680.71) that fixes a high‑severity use‑after‑free in TextEncoding tracked as CVE‑2026‑3921. Microsoft subsequently documented that CVE in the Security Update Guide and indicated the Edge builds that incorporate the Chromium remediation. If you rely on Edge — either personally or across an organization — you need to know how to verify your version, how to map Edge builds to the upstream Chromium fix, and how to deploy updates at scale.

---

What is CVE‑2026‑3921 (the short technical summary)​

• The bug is a use‑after‑free in the TextEncoding component used inside the Chromium rendering pipeline.
• The vulnerability could be triggered by a crafted HTML page, allowing an attacker to cause heap corruption and potentially achieve more severe outcomes (sandboxed code execution, renderer compromise) depending on subsequent conditions.
• Chromium’s security classification for this issue was High, and the vulnerability carries a CVSS vector consistent with a remote, low‑complexity web attack that requires user interaction (visiting a malicious page).
• Google released the fix as part of Chrome 146.0.7680.71, promoted to the stable channel on March 10, 2026.
• Microsoft documented the Chromium CVE in its Security Update Guide to announce that the Microsoft Edge builds that ingest that Chromium update are no longer vulnerable.

This kind of memory corruption (use‑after‑free) is a common, long‑standing class of browser vulnerability. It arises when code continues to access memory after it has been freed, creating a dangling pointer. Attackers can often manipulate the heap layout so that when the program later dereferences that dangling pointer it operates on attacker‑controlled memory — enabling data corruption, crashes, or in some cases controlled code execution within the browser's sandbox.

---

Why Microsoft includes Chrome‑assigned CVEs in the Security Update Guide​

Microsoft’s Security Update Guide is designed to be the authoritative source for security updates that affect Microsoft products and services, but the guide does more than list Microsoft‑origin CVEs. When Microsoft Edge consumes an upstream open‑source project like Chromium, vulnerabilities fixed upstream remain relevant to Edge customers until Microsoft ships the integrated fix.
Microsoft documents these Chrome‑assigned CVEs in the Security Update Guide for two clear reasons:

• Transparency: to inform customers which upstream Chromium vulnerabilities have been addressed in recent Edge releases, and which Edge releases include those fixes.
• Actionability: to provide clear mapping so administrators and users can determine whether the Edge version they run is protected or requires updating.

In practice this means you will often see CVEs where the CNA (CVE Numbering Authority) is Chrome but Microsoft’s SUG entry explains that Edge “ingests Chromium” and indicates the Edge version that contains the Chromium fix. The message being conveyed is simple: you don’t need to chase an upstream Google Chrome update to be protected — you need the corresponding, updated Microsoft Edge build.

---

How to see the browser and underlying Chromium version (step‑by‑step)​

If you want to check whether your installation is protected against CVE‑2026‑3921, you must check the browser’s internal version details and specifically verify the Chromium revision that Edge reports. Here’s how to do that for common Chromium‑based browsers.

Microsoft Edge (stable / enterprise)​

• Open Microsoft Edge.
• Click the three dots menu (… ) at the top‑right, then choose Help and feedback → About Microsoft Edge.
• Edge will show its product version and — importantly — the underlying Chromium version it’s built on. Look for a line reading something like:
• Microsoft Edge 146.0.3856.59 (Official build) (64‑bit)
• Chromium 146.0.7680.71
• Alternatively, type edge://version into the address bar and press Enter to see the same details in a compact format.

Why the Chromium number matters: CVE‑2026‑3921 is fixed in Chromium 146.0.7680.71. If your Edge build lists a Chromium revision that is equal to or newer than 146.0.7680.71, your browser contains the upstream fix.

Google Chrome​

• Open Chrome and navigate to Help → About Google Chrome, or type chrome://version.
• The About page will show the Chrome product version and the underlying Chromium revision. Ensure your Chrome build is at or above 146.0.7680.71.

Other Chromium‑based browsers (Brave, Vivaldi, Opera, etc.)​

• Each browser exposes an internal version page: e.g., brave://version, vivaldi://version, opera://version (or via Help → About).
• Check the displayed Chromium version and compare it to 146.0.7680.71.

Interpreting the numbers​

• A typical listing in the browser’s internal page will show two numbers: the browser’s own product version and the key upstream Chromium revision. The relevant comparison for this CVE is the Chromium string. Only if the Chromium string is 146.0.7680.71 or higher is the upstream fix included.

---

What Microsoft has done and how Edge maps to Chrome’s fix​

Microsoft maintains release notes for Microsoft Edge security updates that explicitly state which Edge product versions incorporate the latest Chromium security fixes. In mid‑March 2026 Microsoft published Edge Stable channel build metadata indicating that Edge builds in the 146 series incorporate the latest Chromium security updates, and the associated Security Update Guide entries list the Chrome‑assigned CVEs that were addressed.
Put plainly:

• Google fixed CVE‑2026‑3921 in Chromium and shipped Chrome 146.0.7680.71 on March 10, 2026.
• Microsoft updated Edge to incorporate Chromium's fixes and published Edge Stable channel builds that ingest those Chromium updates (Edge Stable channel builds in the 146 series were released in the week following Chrome’s stable update).
• Microsoft then published the Chrome‑assigned CVE in its Security Update Guide to let customers know they can be protected by installing the corresponding Microsoft Edge update.

If you run Edge in an enterprise, ensure your deployed build is the Edge release that lists Chromium 146.0.7680.71 (or newer) so that the upstream TextEncoding use‑after‑free fix is present.

---

Risk analysis — what this vulnerability enables and who should worry most​

Use‑after‑free bugs are a mature and well‑understood attack vector in browsers. They are attractive to attackers because they can often be leveraged to escalate control within the renderer process or to bypass mitigations, depending on exploit sophistication and the presence of other memory safety safeguards.
Key points on risk:

• Attack vector: network (attacker hosts or injects a crafted HTML page); user interaction needed (user must navigate to the page).
• Impact: heap corruption; in the worst case, sandboxed code execution. The severity was categorized as High, reflecting that the bug can enable impactful outcomes.
• Exploit status: as of the Chromium/Edge updates in March 2026, there was no public indication that CVE‑2026‑3921 was actively exploited in the wild. However, other Chromium use‑after‑free bugs in 2026 were actively exploited, which underscores the importance of updating promptly.
• Who is most at risk: users who visit untrusted web content, users whose browsing is less constrained by security controls (e.g., users with many installed extensions, legacy compatibility settings), and organizations that delay browser updates across large fleets.

Why you shouldn’t delay: Even if a specific CVE has no confirmed in‑the‑wild exploit, attack code often appears quickly for similar memory bugs. The safer posture is to update promptly and to deploy mitigations where rapid update is not possible.

---

Practical actions for home users (what to do now)​

• Check your browser version:
• For Edge: open About Microsoft Edge or type edge://version and check the Chromium number.
• For Chrome: open About Google Chrome or type chrome://version.
• Update the browser:
• For Edge: About Microsoft Edge triggers an update check; relaunch after update completes.
• For Chrome: About Google Chrome triggers an update check; relaunch to complete installation.
• Confirm the Chromium revision is at least 146.0.7680.71 in the browser’s internal page. If yes, you have the upstream fix for CVE‑2026‑3921.
• Restart the machine if necessary — many enterprise policies require a restart to finish certain updates.
• If you use a different Chromium browser (Brave, Vivaldi, Opera), update when the vendor releases an update that includes Chromium 146.x or the equivalent patched revision.
• If updating is not immediately possible, avoid visiting untrusted sites, disable unnecessary extensions, and consider using a secondary, updated browser for risky browsing tasks.

---

Practical guidance for IT teams and security managers​

For organizations, browser patch management is a continuous discipline. Here are recommended steps to ensure rapid mitigation of CVE‑2026‑3921 and similar Chromium‑origin vulnerabilities:

• Confirm impacted builds: Use the browser internal version page (edge://version) on representative endpoints to determine which Edge builds you have in production. Compare the reported Chromium revision to 146.0.7680.71.
• Map the fix to Edge builds: Consult the Microsoft Edge security release notes and the Security Update Guide for the specific Edge product version that incorporates Chromium’s 146.0.7680.71 fix. Microsoft publishes entries identifying which Edge versions ingest Chromium security updates.
• Deploy updates via managed channels:
• For Windows desktops, deploy Edge updates via Windows Update for Business, WSUS, or Endpoint Manager (Intune).
• For macOS and Linux, use the vendor‑provided packages and your normal software management tooling.
• WebView2 runtimes are commonly managed separately; validate whether the runtime in use needs updating as well.
• Enforce update policy: Configure update policies to minimize drift between released and deployed Edge builds. For zero‑day or high severity fixes, create accelerated deployment rings (pilot, broad) to install the fix quickly.
• Monitor telemetry and logs: Watch for unusual renderer crashes or high rates of tab crashes that could indicate attempted exploitation. Prioritize urgent updates for high‑risk user groups (admins, developers, privileged accounts).
• Consider layered mitigations:
• Use application isolation (browser sandboxing) and endpoint protections (EDR).
• Enforce Content Security Policy and limit extension installations.
• For highly sensitive environments, consider temporarily blocking access to risky content types until the patch is applied.
• Document and communicate: Maintain an internal bulletin that maps Chrome/Chromium CVE IDs to the corresponding Edge build you require. This avoids confusion caused by mismatched numbering between vendors.

---

Why the mapping between Chromium and Edge versions can be confusing​

Chromium’s numbers and each vendor’s product numbers are separate sequences. A single Chromium revision (e.g., 146.0.7680.71) may be incorporated into a vendor’s product build that has an entirely different product version (e.g., Microsoft Edge 146.0.3856.59). That divergence often causes confusion: users see an Edge product version and wonder whether they’re protected against a Chrome CVE.
To reduce confusion:

• Always check the Chromium revision in the browser’s internal version page.
• Use the vendor’s release notes that explicitly state which Chromium security updates were incorporated into which product release.
• For enterprise tracking, maintain a table mapping Chromium revisions to vendor builds your organization accepts or requires.

---

Broader implications and analysis​

Including upstream, third‑party CVEs in the Security Update Guide is a practical and beneficial approach, but it introduces both strengths and challenges.

Strengths​

• Single source of truth: IT teams and security operators can consult Microsoft’s Security Update Guide to learn whether Edge builds include important upstream fixes, avoiding the need to cross‑check multiple vendor pages.
• Faster mitigation for downstream users: When Microsoft maps and publishes ingestion of Chromium fixes, organizations can quickly validate whether their fleet is protected and take action if not.
• Better transparency: Publishing upstream CVEs alongside Microsoft’s own fixes helps organizations triage risk uniformly across their software inventory.

Potential risks and limitations​

• Version mapping complexity: Vendors integrate upstream changes on their own schedule, which can confuse nontechnical users and create a lag between upstream fix availability and downstream ingestion.
• Duplicate CVE noise: Security dashboards and automated scanners that aggregate CVE data may show multiple entries for the same root issue (the original CNA and downstream vendor entries), risking duplicate alerts for operations teams.
• Perception of responsibility: Users might mistakenly assume that a Chrome CVE applies only to Chrome and not to Edge; conversely, seeing a Chrome CVE listed in Microsoft’s SUG without clear guidance could sow confusion if the mapping is not explicitly stated.

Overall, the benefits of documenting upstream CVEs outweigh the downsides, provided vendors clearly annotate which of their product builds include the upstream remedy and how to verify the ingestion.

---

Quick reference checklist​

• Verify your browser:
• Edge: edge://version → check Chromium string.
• Chrome: chrome://version → check Chromium string.
• Confirm the Chromium revision is 146.0.7680.71 or later. If yes, you have the fix for CVE‑2026‑3921.
• If using Edge and the Chromium string is older, update Microsoft Edge to the latest Stable channel build and confirm again.
• For enterprises: use WSUS, Intune, SCCM, or your standard patching mechanism to roll out the Edge build that maps to Chromium 146.0.7680.71.
• If you can’t patch immediately: restrict risky browsing, disable unnecessary extensions, and monitor for renderer crashes.

---

Final verdict — what readers should take away​

CVE‑2026‑3921 is a high‑severity, upstream Chromium use‑after‑free vulnerability fixed in Chrome 146.0.7680.71 on March 10, 2026. Microsoft includes this Chrome CVE in the Security Update Guide to indicate that Edge builds which ingest the Chromium fix are safe. The practical action for both consumers and administrators is to verify the Chromium revision shown in the browser’s internal version page and to update Edge (or whatever Chromium‑based browser you use) to the build that contains the remediation.
Memory corruption bugs like use‑after‑free are regularly targeted by attackers. Even when a specific CVE has no public evidence of exploitation, the historical pattern argues for prompt updates and disciplined patch management. Use the internal version pages, vendor release notes, and enterprise deployment tools to keep your fleet current — and remember that reading the product version alone is not enough; the underlying Chromium revision is the key to knowing whether an upstream fix has been ingested.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center