CVE-2026-3062
Published: 23 February 2026
Summary
CVE-2026-3062 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and remediation of the out-of-bounds read/write flaw in Chrome's Tint component via vendor patches like version 145.0.7632.116.
Implements memory protection mechanisms such as DEP and ASLR to prevent unauthorized code execution from out-of-bounds memory access exploits in the Tint renderer.
Enforces process isolation through browser sandboxing to contain compromise within the vulnerable Tint rendering process and prevent system-wide impact.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds R/W in Chrome renderer via crafted HTML page directly enables drive-by compromise of client browsers and exploitation for client-side code execution leading to RCE.
NVD Description
Out of bounds read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3062 is an out-of-bounds read and write vulnerability in the Tint component of Google Chrome on Mac, affecting versions prior to 145.0.7632.116. It enables a remote attacker to perform out-of-bounds memory access through a crafted HTML page. The issue is classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), with Chromium assigning it a High security severity.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network with low complexity, requiring no privileges or user interaction. An attacker can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise by tricking a user into visiting a malicious website.
Mitigation is addressed in the Google Chrome stable channel update announced at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html, which patches the issue in version 145.0.7632.116 and later. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/483751167. Security practitioners should prioritize updating affected Chrome installations on Mac to the patched version.
Details
- CWE(s)