{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3938", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-11T05:54:14.906Z", "datePublished": "2026-03-11T22:04:15.502Z", "dateUpdated": "2026-03-14T03:15:40.715Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "146.0.7680.71", "status": "affected", "lessThan": "146.0.7680.71", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-11T22:04:15.502Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/474763968"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-14T03:10:17.476334Z", "id": "CVE-2026-3938", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:15:40.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-14T03:10:17.476334Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:10:40.544Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "146.0.7680.71", "lessThan": "146.0.7680.71", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"url": "https://issues.chromium.org/issues/474763968"}], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Insufficient policy enforcement"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-11T22:04:15.502Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3938", "state": "PUBLISHED", "dateUpdated": "2026-03-14T03:15:40.715Z", "dateReserved": "2026-03-11T05:54:14.906Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-03-11T22:04:15.502Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9898EF8-B616-4762-BD38-FFD790EE7517", "versionEndExcluding": "146.0.7680.71", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)"}, {"lang": "es", "value": "Aplicaci\u00f3n insuficiente de pol\u00edticas en el Portapapeles en Google Chrome anterior a la versi\u00f3n 146.0.7680.71 permiti\u00f3 a un atacante remoto que hab\u00eda comprometido el proceso de renderizado filtrar datos de origen cruzado a trav\u00e9s de una p\u00e1gina HTML manipulada. (Gravedad de seguridad de Chromium: Baja)"}], "id": "CVE-2026-3938", "lastModified": "2026-03-16T18:10:25.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T22:16:36.477", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/474763968"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Insufficient policy enforcement in Clipboard", "id": "2446849", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446849"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "details": ["An insufficient policy enforcement flaw was found in the Clipboard component of the Chromium browser.\nUpstream bug(s):\nhttps://code.google.com/p/chromium/issues/detail?id=474763968"], "name": "CVE-2026-3938", "public_date": "2026-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3938\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3938\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html\nhttps://issues.chromium.org/issues/474763968"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[146.0.7680.71,146.0.7680.71)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T02:50:52.665911+00:00", "value": {"mitigation_remediation": ["Update Chrome to version 146.0.7680.71 or later. ", "Enable automatic updates for Chrome to ensure the latest security fixes are applied without delay. ", "If available, apply an enterprise policy to restrict clipboard access across origins, or use a browser extension that blocks cross\u2011origin clipboard reads until the bug is fixed."], "summary": {"action": "Patch", "impact": "Cross\u2011origin Data Leakage via Clipboard"}, "threat_synthesis": {"affected_systems": "The flaw affects Google Chrome on all platforms (Windows, macOS, Linux) prior to version 146.0.7680.71. No other vendors or versions are listed as vulnerable in the CNA data.", "description_and_impact": "Insufficient enforcement of clipboard policy in Chrome before 146.0.7680.71 lets a compromised renderer process access and leak data that originates from a different origin when a specially crafted HTML page is loaded. The result is a breach of confidentiality, allowing the attacker to exfiltrate sensitive information that was previously protected by cross\u2011origin boundaries. The weakness manifests as a failure to adequately authorise clipboard access and is identified as CWE\u2011284.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates moderate severity, while the EPSS rating of less than one percent suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a pre\u2011existing compromise of the renderer process, likely achieved through a separate flaw or social\u2011engineering attack, after which the attacker can craft a page that reads clipboard data and exfiltrates it. Given the requirement for a local compromise and the low EPSS probability, the overall risk is moderate but not imminent."}}}}, "created": "2026-03-12T09:55:14.307294+00:00", "updated": "2026-04-16T03:00:09.181741+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}