CVE-2026-3540
Published: 04 March 2026
Summary
CVE-2026-3540 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws like the out-of-bounds memory access in Chrome's WebAudio, directly preventing exploitation via the available update to version 145.0.7632.159.
Implements memory safeguards such as address space layout randomization and data execution prevention to protect against unauthorized out-of-bounds memory access in WebAudio processing.
Establishes and monitors secure configuration settings for Chrome, including automatic updates, to mitigate vulnerabilities like this WebAudio implementation flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of Chrome via crafted HTML page (out-of-bounds memory access in WebAudio), directly mapping to Drive-by Compromise (T1189) and Exploitation for Client Execution (T1203).
NVD Description
Inappropriate implementation in WebAudio in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3540 involves an inappropriate implementation in the WebAudio component of Google Chrome prior to version 145.0.7632.159. This flaw enables a remote attacker to perform out-of-bounds memory access through a crafted HTML page. The vulnerability, published on 2026-03-04, carries a Chromium security severity rating of High and a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It is classified under CWE-125 (Out-of-bounds Read).
A remote attacker without privileges can exploit this issue over the network with low attack complexity by luring a user to interact with a malicious site, such as loading a crafted HTML page. Exploitation leads to high impacts on confidentiality, integrity, and availability due to the out-of-bounds memory access.
Mitigation is provided in Google Chrome version 145.0.7632.159 and later stable channel releases. Security practitioners should prioritize updating affected systems. Additional details appear in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/484088917.
Details
- CWE(s)