CVE-2026-3544: Google Chrome Buffer Overflow Vulnerability

CVE-2026-3544 Overview

CVE-2026-3544 is a heap buffer overflow vulnerability in the WebCodecs component of Google Chrome prior to version 145.0.7632.159. A remote attacker can perform an out-of-bounds memory write by serving a crafted HTML page to a victim. Google's Chromium team rated the security severity as High, and the vulnerability is tracked under [CWE-122] (Heap-based Buffer Overflow) and [CWE-787] (Out-of-bounds Write). Successful exploitation requires user interaction, such as visiting a malicious or compromised webpage, but no authentication or privileges. The flaw affects Chrome installations across Windows, macOS, and Linux platforms.

Critical Impact

Remote attackers can trigger an out-of-bounds heap write in the renderer process through a crafted HTML page, potentially leading to arbitrary code execution within the Chrome sandbox.

Affected Products

• Google Chrome versions prior to 145.0.7632.159
• Microsoft Windows (Chrome desktop builds)
• Apple macOS (Chrome desktop builds)
• Linux (Chrome desktop builds)

Discovery Timeline

• 2026-03-04 - CVE-2026-3544 published to NVD
• 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2026-3544

Vulnerability Analysis

The vulnerability resides in Chrome's WebCodecs implementation. WebCodecs is a JavaScript API that exposes low-level access to encoders and decoders for audio, video, and image content. The flaw allows a crafted HTML page to trigger a heap-based buffer overflow during media processing operations. When the affected code path writes past the bounds of an allocated heap buffer, attacker-controlled data can corrupt adjacent memory regions in the renderer process.

Out-of-bounds writes in browser renderers are commonly chained with sandbox escapes or information disclosure primitives to achieve full remote code execution on the host. Because WebCodecs accepts attacker-supplied media streams and decode parameters, the attack surface is reachable from any web origin without special permissions.

Root Cause

The root cause is improper validation of buffer boundaries during WebCodecs media processing. The component fails to correctly constrain write operations to allocated heap memory, classified as [CWE-122] Heap-based Buffer Overflow and [CWE-787] Out-of-bounds Write. Detailed technical analysis is restricted in the Chromium Issue Tracker Entry pending broader patch deployment.

Attack Vector

Exploitation occurs over the network through a crafted HTML page. A victim must visit an attacker-controlled site or load malicious content embedded in a compromised page or advertisement. No authentication is required, and the user interaction is limited to browsing. Drive-by-download style delivery via malvertising or phishing links is the most likely real-world delivery mechanism. No public proof-of-concept exploit or in-the-wild exploitation has been reported as of publication.

Detection Methods for CVE-2026-3544

Indicators of Compromise

• Chrome renderer process crashes with heap corruption signatures, particularly during pages that use WebCodecs APIs
• Unexpected child processes spawned by chrome.exe or the renderer helper, especially shells or scripting interpreters
• Outbound connections from browser processes to unfamiliar domains immediately after visiting an unknown page
• Browser telemetry showing WebCodecs decode failures correlated with newly accessed URLs

Detection Strategies

• Inventory installed Chrome versions across endpoints and flag any below 145.0.7632.159
• Hunt for renderer crash dumps referencing WebCodecs modules in endpoint telemetry
• Monitor process lineage for anomalous descendants of Chrome renderer processes
• Correlate web proxy logs with endpoint browser process anomalies to surface drive-by attack attempts

Monitoring Recommendations

• Enable enterprise Chrome update reporting to confirm version compliance across the fleet
• Forward browser process telemetry, including crash events and child-process creation, to a centralized analytics platform
• Track network egress from browser processes to newly registered or low-reputation domains
• Review web filtering logs for users visiting unknown sites that subsequently trigger Chrome crashes

How to Mitigate CVE-2026-3544

Immediate Actions Required

• Update Google Chrome to version 145.0.7632.159 or later on all Windows, macOS, and Linux endpoints
• Verify Chromium-based browsers downstream of Chrome (Edge, Brave, Opera, Vivaldi) for vendor patches addressing the same upstream fix
• Restart browser instances after update deployment to ensure the patched binary is loaded
• Audit enterprise update policies to confirm Chrome auto-update is not disabled by group policy

Patch Information

Google released the fix in the Stable Channel update documented in the Stable Channel Update for Desktop. All Chrome installations prior to 145.0.7632.159 should be upgraded immediately. Enterprises using managed Chrome deployments should push the update via their endpoint management or Chrome Browser Cloud Management console.

Workarounds

• Restrict access to untrusted websites through web filtering or DNS security policies until patches are deployed
• Deploy site isolation and strict sandbox enforcement via Chrome enterprise policies to limit renderer compromise impact
• Disable WebCodecs experimental flags where not required by business applications
• Apply browser hardening baselines such as disabling unneeded media codecs through enterprise policy

# Verify installed Chrome version on Linux/macOS
google-chrome --version
# Expected output: Google Chrome 145.0.7632.159 or later

# Force enterprise update on Windows via PowerShell
Start-Process -FilePath "C:\Program Files\Google\Chrome\Application\chrome.exe" -ArgumentList "--check-for-update-interval=1"