CVE-2026-3539
Published: 04 March 2026
Summary
CVE-2026-3539 is a high-severity Use of Object without Invoking Destructor Method (CWE-1091) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Restricts user installation of unapproved software, directly preventing the installation of the malicious Chrome extension required to trigger the DevTools heap corruption.
Ensures timely patching of the specific object lifecycle flaw in Chrome DevTools fixed in version 145.0.7632.159.
Deploys malicious code protection mechanisms to identify and block crafted extensions attempting to exploit heap corruption in DevTools.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is directly triggered by a crafted malicious Chrome Extension that exploits an object lifecycle issue to achieve heap corruption; this precisely matches the Browser Extensions sub-technique under Software Extensions.
NVD Description
Object lifecycle issue in DevTools in Google Chrome prior to 145.0.7632.159 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3539 is an object lifecycle issue in DevTools within Google Chrome versions prior to 145.0.7632.159. This vulnerability enables an attacker to potentially exploit heap corruption via a crafted Chrome Extension. It carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-1091.
The attack requires an attacker to convince a targeted user to install a malicious extension, with user interaction being a prerequisite (UI:R). No special privileges are needed (PR:N), and exploitation can occur over the network (AV:N) with low complexity (AC:L). Successful exploitation leads to heap corruption, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the user's browser scope (S:U).
Mitigation details are provided in the Chrome Releases stable channel update for desktop at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html, which patches the issue in version 145.0.7632.159. Additional technical information is available in the Chromium issue tracker at https://issues.chromium.org/issues/483853098. Users should update to Chrome 145.0.7632.159 or later to address this vulnerability.
Details
- CWE(s)