CVE-2026-3541
Published: 04 March 2026
Summary
CVE-2026-3541 is a high-severity Improper Access Control (CWE-284) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the CSS implementation vulnerability in Chrome by applying patches like version 145.0.7632.159 to eliminate out-of-bounds memory reads.
Memory protection mechanisms such as ASLR and stack canaries mitigate exploitation of the out-of-bounds memory read in Chrome's CSS parser.
Process isolation through browser sandboxing confines the impact of the CSS vulnerability, preventing unauthorized access to system resources even if triggered by crafted HTML.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in Chrome/Chromium CSS via crafted HTML page directly enables drive-by compromise of client browsers (T1189) and exploitation of client software for code execution (T1203).
NVD Description
Inappropriate implementation in CSS in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3541 involves an inappropriate implementation in the CSS component of Google Chrome prior to version 145.0.7632.159. This flaw enables a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. The vulnerability is also present in Chromium, with the security team assigning it High severity and mapping it to CWE-284 (Improper Access Control).
The attack requires no privileges (PR:N) and has a network attack vector (AV:N) with low complexity (AC:L), but user interaction (UI:R) is necessary, such as visiting a malicious site. Successful exploitation can result in high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H), as reflected in its CVSS v3.1 base score of 8.8, without changing scope (S:U).
Mitigation is addressed in the Chrome stable channel update for desktop, documented at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/484811719. Users should update to version 145.0.7632.159 or later.
Details
- CWE(s)