{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3544", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-03-04T18:18:30.060Z", "datePublished": "2026-03-04T19:24:30.470Z", "dateUpdated": "2026-03-05T14:03:27.537Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "145.0.7632.159", "status": "affected", "lessThan": "145.0.7632.159", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-04T19:24:30.470Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/485683110"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T04:56:01.091366Z", "id": "CVE-2026-3544", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:03:27.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T04:56:01.091366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:03:23.808Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "145.0.7632.159", "lessThan": "145.0.7632.159", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/485683110"}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "Heap buffer overflow"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-03-04T19:24:30.470Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3544", "state": "PUBLISHED", "dateUpdated": "2026-03-05T14:03:27.537Z", "dateReserved": "2026-03-04T18:18:30.060Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-03-04T19:24:30.470Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AD3739D-3659-4D93-976A-B6444DAC160F", "versionEndExcluding": "145.0.7632.159", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "05AB209F-109C-44C0-8CE2-81F4AA11A079", "versionEndExcluding": "145.0.7632.160", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-3544", "lastModified": "2026-03-05T21:54:10.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-04T20:16:21.550", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/485683110"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "chromium-browser: Heap buffer overflow in WebCodecs", "id": "2444623", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444623"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)"], "name": "CVE-2026-3544", "public_date": "2026-03-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3544\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3544\nhttps://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html\nhttps://issues.chromium.org/issues/485683110"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[145.0.7632.159,145.0.7632.159)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T13:09:20.682000+00:00", "value": {"mitigation_remediation": ["Upgrade to Google Chrome version 145.0.7632.159 or later, which contains the heap buffer overflow fix", "Enable Chrome\u2019s Safe Browsing and other built\u2011in security features to reduce exposure to malicious content", "Avoid visiting untrusted or suspicious websites until a patched version of Chrome is installed"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Heap Buffer Overflow"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of Google Chrome running any operating system before version 145.0.7632.159. This includes Windows, macOS, and Linux distributions that use the official Chrome binary. Users who continue to use older Chrome releases are exposed to the risk until they upgrade to a patched version.", "description_and_impact": "A heap buffer overflow in the WebCodecs component of Google Chrome allows an attacker who can serve a crafted HTML page to write outside the bounds of allocated memory. The flaw is rooted in the improper handling of buffer sizes (CWE-122 and CWE-787) and can lead to arbitrary code execution, denial of service, or other memory corruption. The vulnerability is classified as high severity by Chromium security. The impact, if successfully exploited, could compromise the confidentiality, integrity, and availability of the affected system. The attacker would gain control over the memory used by Chrome, potentially allowing execution of arbitrary code with the privileges of the browser process.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates high severity. However, the EPSS score is less than 1\u202f%, suggesting that, at present, the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, further indicating that a known exploit has not been observed in the wild. The likely attack vector is a remote attacker delivering a malicious web page to a user who opens the page in a vulnerable Chrome browser. Successful exploitation requires the user to visit the malicious page and for the browser to process it, exploiting the WebCodecs component\u2019s memory management flaw."}}}}, "created": "2026-03-05T09:05:50.567953+00:00", "updated": "2026-04-16T13:15:06.226504+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}