CVE-2026-3539 – This vulnerability allows attackers to exploit ... (How to Fix)

Q: What is the severity of CVE-2026-3539?

CVE-2026-3539 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to exploit heap corruption in Google Chrome's DevTools through malicious extensions. Users who install untrusted Chrome extensions are affected, potentially leading to arbitrary code execution. The issue affects Chrome versions before 145.0.7632.159.

📋 TL;DR

This vulnerability allows attackers to exploit heap corruption in Google Chrome's DevTools through malicious extensions. Users who install untrusted Chrome extensions are affected, potentially leading to arbitrary code execution. The issue affects Chrome versions before 145.0.7632.159.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 145.0.7632.159

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user to install a malicious extension; default Chrome configuration is vulnerable if extension is installed.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Browser compromise leading to session hijacking, credential theft, and installation of additional malicious extensions.

🟢

If Mitigated

Limited impact if users only install extensions from trusted sources and have proper endpoint protection.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to install malicious extension; no public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 145.0.7632.159 and later

Vendor Advisory: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome settings 2. Click 'About Chrome' 3. Allow Chrome to update automatically 4. Restart Chrome when prompted

🔧 Temporary Workarounds

Disable Chrome Extensions

all

Temporarily disable all Chrome extensions to prevent exploitation

chrome://extensions/ → Toggle off all extensions

Restrict Extension Installation

windows

Configure Chrome to only allow extensions from Chrome Web Store

Group Policy: ExtensionInstallSources = https://chrome.google.com/webstore/*

🧯 If You Can't Patch

Implement application allowlisting to block Chrome execution
Deploy endpoint protection with memory protection features

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in settings → About Chrome

Check Version:

chrome://version/

Verify Fix Applied:

Verify Chrome version is 145.0.7632.159 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual extension installation events
Chrome crash reports with memory corruption signatures

Network Indicators:

Downloads from non-Chrome Web Store extension sources

SIEM Query:

source="chrome_extension_logs" AND event="install" AND source_url NOT CONTAINS "chrome.google.com/webstore"

📊 Metadata

CVE ID: CVE-2026-3539

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1091

Published: March 4, 2026

Last Updated: March 5, 2026

🔗 References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html Release Notes,Vendor Advisory
https://issues.chromium.org/issues/483853098 Issue Tracking,Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON