Cyber Resilience

CVE-2026-3545

Critical

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0026 17.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3545 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3545 is an insufficient data validation vulnerability (CWE-20) in the Navigation component of Google Chrome prior to version 145.0.7632.159. This high-severity issue, as rated by the Chromium security team, allows a remote attacker to potentially escape the browser's sandbox through a crafted HTML page. The vulnerability received a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), highlighting its critical potential impact.

A remote attacker without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as visiting a malicious webpage. Successful exploitation enables a sandbox escape, resulting in high impacts to confidentiality, integrity, and availability across the changed scope.

Mitigation is addressed in the Google Chrome stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/487383169. Practitioners should update affected Chrome installations to version 145.0.7632.159 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient data validation in Navigation in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a client-side browser exploit (T1203) via crafted HTML enabling sandbox escape, which facilitates privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9980Same product: Apple Macos
CVE-2026-7345Same product: Apple Macos
CVE-2026-4451Same product: Apple Macos
CVE-2026-8000Same product: Apple Macos
CVE-2026-9880Same product: Apple Macos
CVE-2026-5915Same product: Apple Macos
CVE-2026-9969Same product: Apple Macos
CVE-2026-9982Same product: Apple Macos
CVE-2026-7916Same product: Apple Macos
CVE-2026-8007Same product: Apple Macos

Affected Assets

google
chrome
≤ 145.0.7632.159 · ≤ 145.0.7632.160

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation through patching Chrome to version 145.0.7632.159 or later, directly eliminating the insufficient data validation vulnerability.

prevent

SI-10 mandates validation of information inputs such as crafted HTML navigation data, directly addressing the CWE-20 improper input validation root cause.

prevent

SC-39 enforces process isolation for browser renderer processes, strengthening the sandbox boundaries targeted by the escape exploitation.

References