CVE-2026-3536 Overview
CVE-2026-3536 is an integer overflow vulnerability in the ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome prior to version 145.0.7632.159. This vulnerability allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page. The Chromium security team has rated this vulnerability as Critical severity.
Critical Impact
Remote attackers can exploit this integer overflow to achieve out-of-bounds memory access, potentially leading to arbitrary code execution or information disclosure through a maliciously crafted web page.
Affected Products
- Google Chrome versions prior to 145.0.7632.159
- Chrome on Microsoft Windows
- Chrome on Apple macOS
- Chrome on Linux
Discovery Timeline
- 2026-03-04 - CVE-2026-3536 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-3536
Vulnerability Analysis
This vulnerability exists in ANGLE, Google Chrome's graphics abstraction layer that translates OpenGL ES API calls to the native graphics API of the host platform (DirectX, OpenGL, Vulkan, or Metal). The integer overflow condition (CWE-190) occurs during mathematical operations related to graphics rendering, where numeric values exceed their maximum representable size and wrap around to unexpected values.
The vulnerability is classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-190 (Integer Overflow or Wraparound). When exploited, the integer overflow leads to incorrect memory allocation size calculations, enabling subsequent out-of-bounds memory access operations.
Root Cause
The root cause is an integer overflow condition in ANGLE's graphics processing routines. When handling specially crafted input from a malicious HTML page, arithmetic operations on size or length values can overflow, causing memory buffers to be allocated with smaller sizes than expected. Subsequent operations then access memory beyond these undersized buffers.
Attack Vector
The attack is network-based and requires user interaction—specifically, convincing a victim to visit a malicious webpage. The crafted HTML page triggers the vulnerable code path in ANGLE during graphics rendering operations. An attacker can host the malicious page on a compromised or attacker-controlled website, or inject the malicious content through advertising networks or compromised legitimate sites.
The exploitation requires no special privileges and can be triggered simply by rendering malicious content in the browser. The vulnerability affects all major desktop platforms where Chrome is deployed, including Windows, macOS, and Linux.
Detection Methods for CVE-2026-3536
Indicators of Compromise
- Unexpected Chrome browser crashes during webpage rendering, particularly on graphics-intensive pages
- Memory access violations or segmentation faults in Chrome's GPU process
- Anomalous network traffic to unknown or suspicious domains hosting crafted HTML content
- Chrome crash reports indicating faults in libGLESv2.dll (Windows), libGLESv2.dylib (macOS), or equivalent ANGLE libraries
Detection Strategies
- Monitor for Chrome crash dumps and memory corruption signatures associated with ANGLE or GPU process components
- Deploy browser isolation solutions to contain potential exploitation attempts
- Implement network-based detection for suspicious web page content patterns targeting graphics APIs
- Enable Chrome's built-in crash reporting to identify potential exploitation attempts across the organization
Monitoring Recommendations
- Enable enhanced logging for Chrome browser events and crash reports across endpoints
- Monitor for unusual GPU process behavior including unexpected terminations and restarts
- Implement endpoint detection rules for out-of-bounds memory access patterns in browser processes
- Review web proxy logs for connections to newly registered or suspicious domains
How to Mitigate CVE-2026-3536
Immediate Actions Required
- Update Google Chrome to version 145.0.7632.159 or later immediately across all managed endpoints
- Enable automatic updates for Chrome to ensure future security patches are applied promptly
- Consider temporarily disabling hardware acceleration in Chrome for high-risk environments until patching is complete
- Educate users about the risks of visiting untrusted websites
Patch Information
Google has released a security update addressing this vulnerability. Update to Chrome version 145.0.7632.159 or later to remediate CVE-2026-3536. The patch information is available in the Google Chrome Desktop Update. Additional technical details can be found in the Chromium Issue Tracker Entry.
Workarounds
- Enable Chrome's Software Rendering mode by launching with the --disable-gpu flag as a temporary measure
- Implement web content filtering to block access to untrusted or potentially malicious sites
- Use browser isolation technologies to contain any potential exploitation attempts
- Deploy endpoint protection solutions capable of detecting memory corruption exploits
# Temporary workaround: Launch Chrome with software rendering
# Windows
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-gpu
# macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-gpu
# Linux
google-chrome --disable-gpu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
