8.8 CVE-2026-3539

Enriched by CISA
 

Object lifecycle issue in DevTools in Google Chrome prior to 145.0.7632.159 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
https://nvd.nist.gov/vuln/detail/CVE-2026-3539

Categories

CWE-1091 : Use of Object without Invoking Destructor Method
The product contains a method that accesses an object but does not later invokethe element's associated finalize/destructor method. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

References

chrome-cve-admin@google.com


 

AFFECTED (from MITRE)

Vendor Product Versions
Google Chrome
  • 145.0.7632.159 < 145.0.7632.159 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
AND
   cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* < 145.0.7632.159
  Running on/with
  cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
  cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
  cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry