8.8 CVE-2026-3538

Enriched by CISA

Integer overflow in Skia in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)
https://nvd.nist.gov/vuln/detail/CVE-2026-3538

Categories

CWE-472 : External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Forum product allows spoofed messages of other users via hidden form fields for name and e-mail address. Shopping cart allows price modification via hidden form field. Shopping cart allows price modification via hidden form field. Shopping cart allows price modification via hidden form field. Shopping cart allows price modification via hidden form field. Shopping cart allows price modification via hidden form field. Allows admin access by modifying value of form field. Read messages by modifying message ID parameter. Send email to arbitrary users by modifying email parameter. Authentication bypass by setting a parameter. Product does not check authorization for configuration change admin script, leading to password theft via modified e-mail address field. Logic error leads to password disclosure. Modification of message number parameter allows attackers to read other people's messages.

CWE-191 : Integer Underflow (Wrap or Wraparound)
This can happen in signed and unsigned cases.

References

chrome-cve-admin@google.com

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-deskt... Release Notes Vendor Advisory
https://issues.chromium.org/issues/484983991 Issue Tracking Permissions Required

AFFECTED (from MITRE)

Vendor	Product	Versions
Google	Chrome	145.0.7632.159 < 145.0.7632.159 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
AND
cpe:2.3:a:google:chrome::::::::		< 145.0.7632.159
Running on/with
cpe:2.3:o:apple:macos:-:::::::*
cpe:2.3:o:linux:linux_kernel:-:::::::*
cpe:2.3:o:microsoft:windows:-:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
146	XML Schema Poisoning An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema. [Determine if XML schema is local or remote] Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used. [Gain access to XML schema] The adversary gains access to the XML schema so that they can modify the contents. [Poison XML schema] Once the adversary gains access to the XML schema, they will alter it to achieve a desired effect. Locally, they can simply modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.	High
226	Session Credential Falsification through Manipulation An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.	Medium
31	Accessing/Intercepting/Modifying HTTP Cookies This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information. [Obtain copy of cookie] The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies. [Obtain sensitive information from cookie] The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them. [Modify cookie to subvert security controls.] The adversary may be able to modify or replace cookies to bypass security controls in the application.	High
39	Manipulating Opaque Client-based Data Tokens In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation. [Enumerate information passed to client side] The attacker identifies the parameters used as part of tokens to take business or security decisions [Determine protection mechanism for opaque token] The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used. [Modify parameter/token values] Trying each parameter in turn, the attacker modifies the values [Cycle through values for each parameter.] Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server	Medium

MITRE

Techniques

id	description
T1539	Steal Web Session Cookie
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1017	Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee