CVE-2026-3542
Published: 04 March 2026
Summary
CVE-2026-3542 is a high-severity Improper Access Control (CWE-284) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of the WebAssembly implementation flaw in Chrome via patching to version 145.0.7632.159 or later, directly eliminating the out-of-bounds memory access vulnerability.
Enforces memory protection mechanisms that mitigate unauthorized out-of-bounds memory access triggered by the crafted HTML page in WebAssembly.
Provides process isolation in the browser to limit the impact of memory corruption from the WebAssembly vulnerability within the renderer process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB memory access in Chrome WebAssembly via crafted HTML enables drive-by compromise through malicious site visits (T1189) and direct client-side code execution exploitation (T1203).
NVD Description
Inappropriate implementation in WebAssembly in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3542 stems from an inappropriate implementation in the WebAssembly component of Google Chrome prior to version 145.0.7632.159. This flaw enables a remote attacker to perform out-of-bounds memory access through a crafted HTML page. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control). Chromium security severity is rated as High.
A remote attacker without privileges can exploit this issue by luring a user to interact with (e.g., visit) a malicious site hosting the crafted HTML page, triggering the out-of-bounds memory access in WebAssembly. Exploitation requires user interaction but no authentication, allowing high-impact consequences on confidentiality, integrity, and availability within the affected browser context.
Mitigation is available via updating Google Chrome to version 145.0.7632.159 or later, as detailed in the stable channel update. Additional information appears in the Chrome Releases blog post at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/485152421.
Details
- CWE(s)