{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3537", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-04T18:18:27.478Z", "datePublished": "2026-03-04T19:24:27.757Z", "dateUpdated": "2026-03-11T15:13:22.581Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "145.0.7632.159", "status": "affected", "lessThan": "145.0.7632.159", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Object lifecycle issue"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-04T19:24:27.757Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/474266014"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1091", "lang": "en", "description": "CWE-1091 Use of Object without Invoking Destructor Method"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T04:55:58.492008Z", "id": "CVE-2026-3537", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:13:22.581Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T04:55:58.492008Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1091", "description": "CWE-1091 Use of Object without Invoking Destructor Method"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T20:07:29.284Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "145.0.7632.159", "lessThan": "145.0.7632.159", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/474266014"}], "descriptions": [{"lang": "en", "value": "Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Object lifecycle issue"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-04T19:24:27.757Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3537", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:13:22.581Z", "dateReserved": "2026-03-04T18:18:27.478Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-03-04T19:24:27.757Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:android:*:*", "matchCriteriaId": "7F3BC1AA-B71C-45CE-8CAE-0457525ADC82", "versionEndExcluding": "145.0.7632.159", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)"}, {"lang": "es", "value": "Problema del ciclo de vida del objeto en PowerVR en Google Chrome en Android anterior a 145.0.7632.159 permiti\u00f3 a un atacante remoto potencialmente explotar la corrupci\u00f3n de pila mediante una p\u00e1gina HTML manipulada. (Gravedad de seguridad de Chromium: Cr\u00edtica)"}], "id": "CVE-2026-3537", "lastModified": "2026-03-11T16:16:45.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-04T20:16:20.707", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/474266014"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1091"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "145.0.7632.159"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T05:41:20.863675+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome on Android to version 145.0.7632.159 or newer on all devices.", "Enable automatic updates for Chrome so that future security patches are applied without manual intervention.", "When an update cannot be applied immediately, mitigate exposure by restricting the browsing of untrusted content, using Chrome\u2019s Safe Browsing and Site Isolation features to limit the impact of any potential exploit."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Google Chrome on Android versions prior to 145.0.7632.159 are impacted. The issue exists in the PowerVR component which is used across Android Chrome builds; other platforms such as macOS, Linux, and Windows are listed in the CPE data but the flaw is specific to the Android implementation.", "description_and_impact": "An object lifecycle flaw inside PowerVR on Google Chrome for Android allows an attacker to craft a malicious HTML page that triggers heap corruption, potentially enabling arbitrary code execution. The vulnerability is categorized as critical by Chromium, indicating a high likelihood of compromising the confidentiality, integrity, and availability of the affected system. It is a direct flaw that can alter application memory and does not rely on additional software exploits.", "risk_and_exploitability": "The CVSS score of 8.8 reflects the severity of the flaw, while the EPSS score of less than 1% indicates a low, but nonzero, probability of real\u2011world exploitation. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Attackers can exploit it by directing a user to a crafted HTML page, suggesting that the attack vector is remote over the network. Exploitation would require the victim to open the malicious content. Once triggered, the heap corruption could lead to arbitrary code execution with the privileges of the Chrome process."}}}}, "created": "2026-03-05T09:05:57.204500+00:00", "title": "PowerVR Object Lifecycle Heap Corruption in Google Chrome on Android", "updated": "2026-04-16T05:45:26.018835+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}