CVE-2026-3537 - Vulnerability Details

- PowerVR Object Lifecycle Heap Corruption in Google Chrome on Android

Description

Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Published: 2026-03-04

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An object lifecycle flaw inside PowerVR on Google Chrome for Android allows an attacker to craft a malicious HTML page that triggers heap corruption, potentially enabling arbitrary code execution. The vulnerability is categorized as critical by Chromium, indicating a high likelihood of compromising the confidentiality, integrity, and availability of the affected system. It is a direct flaw that can alter application memory and does not rely on additional software exploits.

Affected Systems

Google Chrome on Android versions prior to 145.0.7632.159 are impacted. The issue exists in the PowerVR component which is used across Android Chrome builds; other platforms such as macOS, Linux, and Windows are listed in the CPE data but the flaw is specific to the Android implementation.

Risk and Exploitability

The CVSS score of 8.8 reflects the severity of the flaw, while the EPSS score of less than 1% indicates a low, but nonzero, probability of real‑world exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers can exploit it by directing a user to a crafted HTML page, suggesting that the attack vector is remote over the network. Exploitation would require the victim to open the malicious content. Once triggered, the heap corruption could lead to arbitrary code execution with the privileges of the Chrome process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Chrome

affected

Version	Status	Constraints
`145.0.7632.159`	affected	< 145.0.7632.159

Configuration 1 [-]

AND

cpe:2.3:a:google:chrome:*:*:*:*:*:android:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Google

Chrome

100%

Version	Status	Scheme	Platform
`145.0.7632.159`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Google Chrome on Android to version 145.0.7632.159 or newer on all devices.
Enable automatic updates for Chrome so that future security patches are applied without manual intervention.
When an update cannot be applied immediately, mitigate exposure by restricting the browsing of untrusted content, using Chrome’s Safe Browsing and Site Isolation features to limit the impact of any potential exploit.

Generated by OpenCVE AI on April 16, 2026 at 05:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6157-1	chromium security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00089.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html
https://issues.chromium.org/issues/474266014

History

Thu, 16 Apr 2026 06:00:00 +0000

Type	Values Removed	Values Added
Title		PowerVR Object Lifecycle Heap Corruption in Google Chrome on Android

Wed, 11 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1091
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
Weaknesses		CWE-787
CPEs		cpe:2.3:a:google:chrome::::::android::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google chrome
Vendors & Products		Google Google chrome

Wed, 04 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Object lifecycle issue in PowerVR in Google Chrome on Android prior to 145.0.7632.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
References		https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/474266014

Subscriptions

Apple Macos

Google Chrome

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: Chrome

Published: 2026-03-04T19:24:27.757Z

Updated: 2026-03-11T15:13:22.581Z

Reserved: 2026-03-04T18:18:27.478Z

Link: CVE-2026-3537

Vulnrichment

Updated: 2026-03-04T20:07:29.284Z

NVD

Status : Modified

Published: 2026-03-04T20:16:20.707

Modified: 2026-03-11T16:16:45.293

Link: CVE-2026-3537

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object