Cyber Resilience

CVE-2026-3539

High

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0027 18.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3539 is a high-severity Use of Object without Invoking Destructor Method (CWE-1091) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Extensions (T1176.001); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3539 is an object lifecycle issue in DevTools within Google Chrome versions prior to 145.0.7632.159. This vulnerability enables an attacker to potentially exploit heap corruption via a crafted Chrome Extension. It carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-1091.

The attack requires an attacker to convince a targeted user to install a malicious extension, with user interaction being a prerequisite (UI:R). No special privileges are needed (PR:N), and exploitation can occur over the network (AV:N) with low complexity (AC:L). Successful exploitation leads to heap corruption, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the user's browser scope (S:U).

Mitigation details are provided in the Chrome Releases stable channel update for desktop at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html, which patches the issue in version 145.0.7632.159. Additional technical information is available in the Chromium issue tracker at https://issues.chromium.org/issues/483853098. Users should update to Chrome 145.0.7632.159 or later to address this vulnerability.

EU & UK References

Vulnerability details

Object lifecycle issue in DevTools in Google Chrome prior to 145.0.7632.159 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1176.001 Browser Extensions Persistence
Adversaries may abuse internet browser extensions to establish persistent access to victim systems.
Why these techniques?

The vulnerability is directly triggered by a crafted malicious Chrome Extension that exploits an object lifecycle issue to achieve heap corruption; this precisely matches the Browser Extensions sub-technique under Software Extensions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7976Same product: Apple Macos
CVE-2026-3063Same product: Apple Macos
CVE-2026-2319Same product: Apple Macos
CVE-2026-5904Same product: Apple Macos
CVE-2026-3537Same product: Apple Macos
CVE-2026-4458Same product: Apple Macos
CVE-2026-7357Same product: Apple Macos
CVE-2026-10018Same product: Apple Macos
CVE-2026-8000Same product: Apple Macos
CVE-2026-4675Same product: Apple Macos

Affected Assets

google
chrome
≤ 145.0.7632.159

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts user installation of unapproved software, directly preventing the installation of the malicious Chrome extension required to trigger the DevTools heap corruption.

prevent

Ensures timely patching of the specific object lifecycle flaw in Chrome DevTools fixed in version 145.0.7632.159.

preventdetect

Deploys malicious code protection mechanisms to identify and block crafted extensions attempting to exploit heap corruption in DevTools.

References