Cyber Resilience

CVE-2026-3543

High

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3543 is a high-severity Improper Access Control (CWE-284) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3543 involves an inappropriate implementation in the V8 JavaScript engine within Google Chrome prior to version 145.0.7632.159. This flaw allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page. Rated as High severity by the Chromium security team, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control).

The vulnerability can be exploited by a remote attacker requiring no privileges, over the network with low attack complexity, though it demands user interaction such as loading a malicious HTML page. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data (confidentiality), modification of data or code (integrity), and disruption of system availability, all facilitated by the out-of-bounds memory access.

Official advisories provide mitigation details in the Google Chrome stable channel update for desktop at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html and the Chromium issue tracker at https://issues.chromium.org/issues/485267831. Affected users should update to Google Chrome 145.0.7632.159 or later to address the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Inappropriate implementation in V8 in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

V8 OOB memory access in Chrome directly enables drive-by compromise via crafted HTML (T1189), client application exploitation for code execution (T1203), and malicious link delivery requiring user interaction (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3932Same product: Apple Macos
CVE-2026-3541Same product: Apple Macos
CVE-2026-3542Same product: Apple Macos
CVE-2026-5863Same product: Apple Macos
CVE-2025-8882Same product: Apple Macos
CVE-2026-4447Same product: Apple Macos
CVE-2025-10892Same product: Apple Macos
CVE-2026-5286Same product: Apple Macos
CVE-2026-4442Same product: Apple Macos
CVE-2026-9933Same product: Apple Macos

Affected Assets

google
chrome
≤ 145.0.7632.159 · ≤ 145.0.7632.160

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CVE-2026-3543 by requiring identification, reporting, and timely remediation of flaws in the V8 JavaScript engine through vendor patches.

prevent

Implements memory protection mechanisms such as ASLR and DEP to prevent out-of-bounds memory access exploits triggered by crafted HTML pages in the V8 engine.

prevent

Enforces process isolation via browser sandboxing to contain potential damage from V8 out-of-bounds access even if initial exploitation occurs.

References