CVE-2026-3544
Published: 04 March 2026
Summary
CVE-2026-3544 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation through patching Chrome to version 145.0.7632.159 or later, directly eliminating the heap buffer overflow vulnerability.
Implements memory protection mechanisms such as ASLR and DEP to prevent exploitation of heap buffer overflows and out-of-bounds memory writes.
Supports identification of systems running vulnerable Chrome versions via vulnerability scanning, enabling targeted patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Chrome WebCodecs enables remote code execution via crafted HTML on malicious site, directly mapping to drive-by compromise (T1189) and client-side exploitation (T1203).
NVD Description
Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3544 is a heap buffer overflow vulnerability in the WebCodecs component of Google Chrome versions prior to 145.0.7632.159. It enables a remote attacker to perform an out-of-bounds memory write through a crafted HTML page. The issue is rated High severity by Chromium security and corresponds to CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website or interacting with a crafted HTML page, requiring no privileges. Successful exploitation allows arbitrary out-of-bounds memory writes, potentially leading to high-impact confidentiality, integrity, and availability violations, such as code execution or system compromise within the browser's sandbox.
Mitigation is addressed in the Chrome stable channel update, with the vulnerability fixed in version 145.0.7632.159 and later. Security practitioners should advise users to update Google Chrome immediately, as detailed in the Chrome Releases blog post (https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html) and the associated Chromium issue tracker (https://issues.chromium.org/issues/485683110).
Details
- CWE(s)