CVE-2026-3542 is a vulnerability identified in Google Chrome's WebAssembly implementation before version 145.0.7632.159. The issue stems from an inappropriate implementation that permits a remote attacker to perform out-of-bounds memory access by crafting a malicious HTML page containing WebAssembly code. WebAssembly is a low-level bytecode format designed to run high-performance applications in browsers. An out-of-bounds memory access can corrupt memory, potentially leading to arbitrary code execution, data leakage, or denial of service via browser crashes. The attack vector requires only that a user visits a malicious or compromised webpage, with no additional authentication or user interaction needed beyond page load. Although no exploits have been reported in the wild, the vulnerability is classified as high severity by Chromium security due to the potential impact and ease of exploitation. The lack of a CVSS score means severity assessment must consider the broad impact on confidentiality, integrity, and availability, the widespread use of Chrome, and the critical role of WebAssembly in modern web applications. The vulnerability is fixed in Chrome version 145.0.7632.159, and users running earlier versions remain vulnerable. This flaw highlights the risks inherent in complex browser features like WebAssembly, which, while powerful, can introduce significant security challenges if not implemented securely.

The vulnerability allows remote attackers to exploit out-of-bounds memory access in Chrome's WebAssembly engine, which can lead to arbitrary code execution within the browser context. This compromises the confidentiality and integrity of user data and can disrupt availability by causing browser crashes or instability. Since Chrome is one of the most widely used browsers globally, the potential attack surface is vast, affecting individual users, enterprises, and critical infrastructure relying on web applications. Exploitation could facilitate further attacks such as malware installation, data exfiltration, or lateral movement within networks. The ease of exploitation—requiring only a crafted webpage and no user interaction beyond visiting—raises the risk of widespread automated attacks or drive-by downloads. Organizations with high dependency on Chrome for web access, especially those handling sensitive data or operating in regulated industries, face increased risk of data breaches and operational disruption. The absence of known exploits in the wild currently limits immediate impact but does not diminish the urgency for patching and mitigation.

1. Immediate update to Google Chrome version 145.0.7632.159 or later to apply the patch addressing this vulnerability. 2. Employ network-level protections such as web filtering and intrusion prevention systems to block access to known malicious sites hosting crafted WebAssembly content. 3. Enable browser security features like site isolation and sandboxing to limit the impact of potential exploitation. 4. Monitor browser crash reports and unusual WebAssembly activity for signs of attempted exploitation. 5. Educate users on safe browsing practices to reduce the risk of visiting untrusted or suspicious websites. 6. For enterprise environments, consider deploying endpoint detection and response (EDR) solutions capable of detecting exploitation attempts targeting browser memory corruption. 7. Maintain an up-to-date inventory of browser versions in use across the organization to ensure timely patch management. 8. Limit or control the use of WebAssembly in browsers via policy or extensions where feasible, especially in high-security environments. These measures collectively reduce the risk of exploitation and limit potential damage if an attack occurs.