CVE-2026-3543
Published: 04 March 2026
Summary
CVE-2026-3543 is a high-severity Improper Access Control (CWE-284) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses CVE-2026-3543 by requiring identification, reporting, and timely remediation of flaws in the V8 JavaScript engine through vendor patches.
Implements memory protection mechanisms such as ASLR and DEP to prevent out-of-bounds memory access exploits triggered by crafted HTML pages in the V8 engine.
Enforces process isolation via browser sandboxing to contain potential damage from V8 out-of-bounds access even if initial exploitation occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
V8 OOB memory access in Chrome directly enables drive-by compromise via crafted HTML (T1189), client application exploitation for code execution (T1203), and malicious link delivery requiring user interaction (T1204.001).
NVD Description
Inappropriate implementation in V8 in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3543 involves an inappropriate implementation in the V8 JavaScript engine within Google Chrome prior to version 145.0.7632.159. This flaw allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page. Rated as High severity by the Chromium security team, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control).
The vulnerability can be exploited by a remote attacker requiring no privileges, over the network with low attack complexity, though it demands user interaction such as loading a malicious HTML page. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (confidentiality), modification of data or code (integrity), and disruption of system availability, all facilitated by the out-of-bounds memory access.
Official advisories provide mitigation details in the Google Chrome stable channel update for desktop at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/485267831. Affected users should update to Google Chrome 145.0.7632.159 or later to address the issue.
Details
- CWE(s)