CVE-2026-3545
Published: 04 March 2026
Summary
CVE-2026-3545 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation through patching Chrome to version 145.0.7632.159 or later, directly eliminating the insufficient data validation vulnerability.
SI-10 mandates validation of information inputs such as crafted HTML navigation data, directly addressing the CWE-20 improper input validation root cause.
SC-39 enforces process isolation for browser renderer processes, strengthening the sandbox boundaries targeted by the escape exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a client-side browser exploit (T1203) via crafted HTML enabling sandbox escape, which facilitates privilege escalation (T1068).
NVD Description
Insufficient data validation in Navigation in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2026-3545 is an insufficient data validation vulnerability (CWE-20) in the Navigation component of Google Chrome prior to version 145.0.7632.159. This high-severity issue, as rated by the Chromium security team, allows a remote attacker to potentially escape the browser's sandbox through a crafted HTML page. The vulnerability received a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), highlighting its critical potential impact.
A remote attacker without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as visiting a malicious webpage. Successful exploitation enables a sandbox escape, resulting in high impacts to confidentiality, integrity, and availability across the changed scope.
Mitigation is addressed in the Google Chrome stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/487383169. Practitioners should update affected Chrome installations to version 145.0.7632.159 or later.
Details
- CWE(s)