Description
Out of bounds read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
Published: 2026-02-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Out‑of‑Bounds Memory Read
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in the Media code path of Chromium. By loading a specially crafted HTML page in the vulnerable browser, a remote attacker can cause the renderer to read memory outside the intended buffer. This enables the attacker to exfiltrate arbitrary data from the process, potentially revealing sensitive information such as credentials, cryptographic keys, or other private data. The flaw is classified as CWE‑125 and carries high risk as indicated by the CVSS score of 8.8.

Affected Systems

This issue affects Google Chrome browsers running any version prior to 145.0.7632.116 on all supported operating systems, including Windows, macOS, and Linux. The affected CPEs include cpe:2.3:a:google:chrome and the various OS CPEs show that the vulnerability is present across Chrome installations on all major platforms. Users of embedded or legacy versions of Chrome that have not yet received the 145.0.7632.116 security update remain exposed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the EPSS score of less than 1% suggests exploitation is currently rare, though not impossible. The vulnerability is not listed in the CISA KEV catalog at this time. The exploit requires delivery of a crafted HTML page that the victim browses, implying that a social engineering or drive‑by download vector could be used. Because the read occurs in the renderer process, privileges remain limited to the current user, so the damage is largely data disclosure rather than full system compromise.

Generated by OpenCVE AI on April 17, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to the latest stable version, ensuring the 145.0.7632.116 release is applied
  • Enable Chrome’s built‑in Safe Browsing and Site Isolation features to reduce the impact of potential exploits
  • Keep the operating system and all software up to date to minimize the overall attack surface

Generated by OpenCVE AI on April 17, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6151-1 chromium security update
History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Out of bounds read in Media
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 23 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Out of bounds read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-125
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-02-26T14:44:10.813Z

Reserved: 2026-02-23T18:41:53.196Z

Link: CVE-2026-3061

cve-icon Vulnrichment

Updated: 2026-02-25T17:06:44.496Z

cve-icon NVD

Status : Modified

Published: 2026-02-23T23:16:15.850

Modified: 2026-02-25T18:23:42.007

Link: CVE-2026-3061

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-23T00:00:00Z

Links: CVE-2026-3061 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses