CVE-2026-3545

Critical

Published: 04 March 2026

Published

04 March 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0013 31.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient data validation in Navigation in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation through patching Chrome to version 145.0.7632.159 or later, directly eliminating the insufficient data validation vulnerability.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs such as crafted HTML navigation data, directly addressing the CWE-20 improper input validation root cause.

SC-39 Process Isolation partial match

prevent

SC-39 enforces process isolation for browser renderer processes, strengthening the sandbox boundaries targeted by the escape exploitation.

Security SummaryAI

CVE-2026-3545 is an insufficient data validation vulnerability (CWE-20) in the Navigation component of Google Chrome prior to version 145.0.7632.159. This high-severity issue, as rated by the Chromium security team, allows a remote attacker to potentially escape the browser's sandbox through a crafted HTML page. The vulnerability received a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), highlighting its critical potential impact.

A remote attacker without privileges can exploit this over the network with low attack complexity, though it requires user interaction, such as visiting a malicious webpage. Successful exploitation enables a sandbox escape, resulting in high impacts to confidentiality, integrity, and availability across the changed scope.

Mitigation is addressed in the Google Chrome stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/487383169. Practitioners should update affected Chrome installations to version 145.0.7632.159 or later.

Details

CWE(s): CWE-20

Affected Products

google

chrome

≤ 145.0.7632.159 · ≤ 145.0.7632.160

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side browser exploit (T1203) via crafted HTML enabling sandbox escape, which facilitates privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/487383169
Issue Tracking, Permissions Required · chrome-cve-admin@google.com