CVE-2026-3538
Published: 04 March 2026
Summary
CVE-2026-3538 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and remediation of flaws such as the integer overflow in Chrome's Skia library via patching to version 145.0.7632.159 or later.
Implements memory protection mechanisms that mitigate out-of-bounds memory access resulting from the integer overflow in Skia.
Requires validation of crafted HTML inputs to the Skia graphics library to prevent integer overflows and subsequent out-of-bounds access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow/OOB in Chrome Skia enables RCE via crafted HTML page visited by user, directly mapping to drive-by compromise and client application exploitation.
NVD Description
Integer overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
Deeper analysisAI
CVE-2026-3538 is an integer overflow vulnerability in the Skia graphics library within Google Chrome versions prior to 145.0.7632.159. The flaw enables a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page. It is associated with CWE-472 and CWE-191, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), and is rated Critical by Chromium security.
A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a malicious website hosting a crafted HTML page. Exploitation requires user interaction, such as visiting the page, but no authentication. Successful attacks could lead to out-of-bounds memory access with high impacts on confidentiality, integrity, and availability.
Mitigation involves updating to Google Chrome 145.0.7632.159 or later, as detailed in the stable channel update announced on the Chrome Releases blog at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/484983991.
Details
- CWE(s)