Cyber Resilience

CVE-2026-3544

High

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3544 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3544 is a heap buffer overflow vulnerability in the WebCodecs component of Google Chrome versions prior to 145.0.7632.159. It enables a remote attacker to perform an out-of-bounds memory write through a crafted HTML page. The issue is rated High severity by Chromium security and corresponds to CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring no privileges. Successful exploitation allows arbitrary out-of-bounds memory writes, potentially leading to high-impact confidentiality, integrity, and availability violations, such as code execution or system compromise within the browser's sandbox.

Mitigation is addressed in the Chrome stable channel update, with the vulnerability fixed in version 145.0.7632.159 and later. Security practitioners should advise users to update Google Chrome immediately, as detailed in the Chrome Releases blog post (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html) and the associated Chromium issue tracker (https://issues.chromium.org/issues/485683110).

EU & UK References

Vulnerability details

Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in Chrome WebCodecs enables remote code execution via crafted HTML on malicious site, directly mapping to drive-by compromise (T1189) and client-side exploitation (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2314Same product: Apple Macos
CVE-2026-3931Same product: Apple Macos
CVE-2026-3913Same product: Apple Macos
CVE-2026-1861Same product: Apple Macos
CVE-2026-4673Same product: Apple Macos
CVE-2026-4675Same product: Apple Macos
CVE-2026-4463Same product: Apple Macos
CVE-2026-9973Same product: Apple Macos
CVE-2025-13042Same product: Apple Macos
CVE-2026-9879Same product: Apple Macos

Affected Assets

google
chrome
≤ 145.0.7632.159 · ≤ 145.0.7632.160

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation through patching Chrome to version 145.0.7632.159 or later, directly eliminating the heap buffer overflow vulnerability.

prevent

Implements memory protection mechanisms such as ASLR and DEP to prevent exploitation of heap buffer overflows and out-of-bounds memory writes.

detect

Supports identification of systems running vulnerable Chrome versions via vulnerability scanning, enabling targeted patching.

References