Description
Inappropriate implementation in WebAudio in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Published: 2026-03-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out of Bounds Memory Read
Action: Apply Update
AI Analysis

Impact

Google Chrome versions earlier than 145.0.7632.159 contain an inappropriate implementation in the WebAudio subsystem that permits a remote attacker to trigger an out of bounds memory read through a crafted HTML page. This flaw allows the attacker to read data beyond the intended buffer, potentially exposing private information or causing an application crash. The primary consequence is information disclosure and instability of the browser, with a high severity CVSS score of 8.8.

Affected Systems

The vulnerability affects Google Chrome on all major operating systems, including Windows, macOS, and Linux. Any installation of Chrome prior to version 145.0.7632.159 is susceptible. The flaw is triggered by web content that a user can open in the browser, regardless of the underlying platform.

Risk and Exploitability

The CVSS score of 8.8 indicates a significant risk, while the EPSS score of less than 1% suggests that exploitation attempts are currently rare. Because the attack requires a user to visit a malicious page, it is a client‑side vulnerability that relies on social engineering or compromised sites. The issue is not listed in the CISA KEV catalog, so there are no publicly known widespread attacks, but its high severity warrants timely remediation.

Generated by OpenCVE AI on April 16, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 145.0.7632.159 or later to apply the fix
  • Enable Chrome’s automatic updates to ensure future patches are applied promptly
  • Use web‑content filtering or isolation policies to block or sandbox sites that may deliver malicious audio content

Generated by OpenCVE AI on April 16, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6157-1 chromium security update
History

Sat, 07 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Inappropriate implementation in WebAudio
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 05 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-125
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 05 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 04 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Inappropriate implementation in WebAudio in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-05T14:04:18.110Z

Reserved: 2026-03-04T18:18:28.511Z

Link: CVE-2026-3540

cve-icon Vulnrichment

Updated: 2026-03-05T14:04:09.417Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T20:16:21.123

Modified: 2026-03-05T21:56:46.790

Link: CVE-2026-3540

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-03T00:00:00Z

Links: CVE-2026-3540 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses