{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3929", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-11T05:54:12.459Z", "datePublished": "2026-03-11T22:04:10.945Z", "dateUpdated": "2026-03-12T15:08:04.687Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.71", "status": "affected", "lessThan": "146.0.7680.71", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Side-channel information leakage in ResourceTiming in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Side-channel information leakage", "cweId": "CWE-1300"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-11T22:04:10.945Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/477180001"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:08:01.389937Z", "id": "CVE-2026-3929", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:08:04.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3929", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T15:08:01.389937Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:07:54.916Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "146.0.7680.71", "lessThan": "146.0.7680.71", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/477180001"}], "descriptions": [{"lang": "en", "value": "Side-channel information leakage in ResourceTiming in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1300", "description": "Side-channel information leakage"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-11T22:04:10.945Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3929", "state": "PUBLISHED", "dateUpdated": "2026-03-12T15:08:04.687Z", "dateReserved": "2026-03-11T05:54:12.459Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-03-11T22:04:10.945Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9898EF8-B616-4762-BD38-FFD790EE7517", "versionEndExcluding": "146.0.7680.71", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Side-channel information leakage in ResourceTiming in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)"}, {"lang": "es", "value": "La fuga de informaci\u00f3n por canal lateral en ResourceTiming en Google Chrome anterior a 146.0.7680.71 permiti\u00f3 a un atacante remoto filtrar datos de origen cruzado a trav\u00e9s de una p\u00e1gina HTML manipulada. (Gravedad de seguridad de Chromium: Media)"}], "id": "CVE-2026-3929", "lastModified": "2026-03-13T15:41:23.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T22:16:35.557", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/477180001"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1300"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Side-channel information leakage in ResourceTiming", "id": "2446870", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446870"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["A side-channel information leakage flaw was found in the ResourceTiming component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=477180001"], "name": "CVE-2026-3929", "public_date": "2026-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3929\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3929\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html\nhttps://issues.chromium.org/issues/477180001"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.71,146.0.7680.71)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T02:53:08.962026+00:00", "value": {"mitigation_remediation": ["Upgrade Chrome to version 146.0.7680.71 or newer", "If automatic updating is disabled, explicitly install the latest stable release or configure enterprise policy to block cross\u2011origin ResourceTiming", "Maintain Chrome\u2019s auto\u2011update feature to receive future security patches promptly"], "summary": {"action": "Update", "impact": "Information disclosure via cross-origin ResourceTiming data leakage"}, "threat_synthesis": {"affected_systems": "All Chrome releases predating 146.0.7680.71 on Windows, macOS and Linux are affected. The vulnerability is tied to the browser\u2019s implementation of the ResourceTiming interface and is independent of the underlying operating system beyond the fact that Chrome runs on Windows, macOS, and Linux.", "description_and_impact": "This vulnerability is a side\u2011channel information leak in Chrome\u2019s ResourceTiming API. Prior to Chrome version 146.0.7680.71, a malicious webpage could be crafted to extract timing data that reveals user activity on cross\u2011origin resources, effectively allowing a remote attacker to observe sensitive cross\u2011domain information.", "risk_and_exploitability": "The CVSS score of 3.1 indicates a low overall severity, and the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited current exploitation. The attack likely requires a victim to visit a malicious web page that can use the ResourceTiming API to read timing data of cross\u2011origin requests."}}}}, "created": "2026-03-12T09:55:22.971390+00:00", "updated": "2026-04-16T03:00:09.184699+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}