Description
Integer overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-03-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An integer overflow in the Skia graphics library used by Google Chrome versions before 145.0.7632.159 permits a remote attacker to craft an HTML page that triggers out‑of‑bounds memory reads or writes. This flaw can lead to memory corruption, which might allow arbitrary code execution or cause a denial of service, though the description only indicates potential rather than confirmed exploitation. The weakness is characterized by CWE‑191 (Integer Overflow or Underflow) and CWE‑472 (Incorrect Calculation of Array Index).

Affected Systems

Google Chrome browsers on Windows, macOS, Linux, and Microsoft Windows that are installed at or before version 145.0.7632.159. The vulnerability affects all products that include the Skia library in these versions, as indicated by the vendor name Google and the relevant CPE strings for the Chrome browser.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity, while the EPSS score of <1% suggests low predicted exploitation probability at this time. The vulnerability is not currently listed in the CISA KEV catalog, indicating no confirmed exploits yet. The likely attack vector, based on the description, is a malicious HTML file or webpage that a user opens or visits. The description indicates that an attacker may manipulate Skia rendering to trigger out‑of‑bounds memory access, potentially leading to code execution or a crash, depending on the target environment.

Generated by OpenCVE AI on April 18, 2026 at 09:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 145.0.7632.159 or later, which contains a fix for the Skia overflow.
  • Configure corporate browser and content security policies to restrict execution of untrusted HTML content and limit access to external resources that could invoke Skia rendering.
  • Deploy endpoint protection or sandboxing tools to isolate the Chrome process and monitor for abnormal memory access patterns or crashes that could indicate exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6157-1 chromium security update
History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 07 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Integer overflow in Skia
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-191
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 04 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Integer overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-472
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-11T15:13:13.329Z

Reserved: 2026-03-04T18:18:27.867Z

Link: CVE-2026-3538

cve-icon Vulnrichment

Updated: 2026-03-04T20:01:08.295Z

cve-icon NVD

Status : Modified

Published: 2026-03-04T20:16:20.817

Modified: 2026-03-11T16:16:45.463

Link: CVE-2026-3538

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-03T00:00:00Z

Links: CVE-2026-3538 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses