Cyber Resilience

CVE-2026-3062

Critical

Published: 23 February 2026

Published
23 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 25.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3062 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3062 is an out-of-bounds read and write vulnerability in the Tint component of Google Chrome on Mac, affecting versions prior to 145.0.7632.116. It enables a remote attacker to perform out-of-bounds memory access through a crafted HTML page. The issue is classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), with Chromium assigning it a High security severity.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network with low complexity, requiring no privileges or user interaction. An attacker can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise by tricking a user into visiting a malicious website.

Mitigation is addressed in the Google Chrome stable channel update announced at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html, which patches the issue in version 145.0.7632.116 and later. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/483751167. Security practitioners should prioritize updating affected Chrome installations on Mac to the patched version.

EU & UK References

Vulnerability details

Out of bounds read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds R/W in Chrome renderer via crafted HTML page directly enables drive-by compromise of client browsers and exploitation for client-side code execution leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4459Same product: Apple Macos
CVE-2026-0899Same product: Apple Macos
CVE-2025-14766Same product: Apple Macos
CVE-2026-7899Same product: Apple Macos
CVE-2026-5873Same product: Apple Macos
CVE-2026-4440Same product: Apple Macos
CVE-2026-7902Same product: Apple Macos
CVE-2026-3920Same product: Apple Macos
CVE-2026-7354Same product: Apple Macos
CVE-2026-4460Same product: Apple Macos

Affected Assets

google
chrome
≤ 145.0.7632.116 · ≤ 145.0.7632.117

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and remediation of the out-of-bounds read/write flaw in Chrome's Tint component via vendor patches like version 145.0.7632.116.

prevent

Implements memory protection mechanisms such as DEP and ASLR to prevent unauthorized code execution from out-of-bounds memory access exploits in the Tint renderer.

prevent

Enforces process isolation through browser sandboxing to contain compromise within the vulnerable Tint rendering process and prevent system-wide impact.

References