CVE-2026-3544 is a heap buffer overflow vulnerability identified in the WebCodecs API implementation within Google Chrome prior to version 145.0.7632.159. WebCodecs is a web platform API that enables efficient video and audio encoding and decoding directly in the browser. The vulnerability arises from improper bounds checking during processing of codec data, allowing a remote attacker to craft a malicious HTML page that triggers an out-of-bounds write in heap memory. This memory corruption can lead to arbitrary code execution within the context of the browser process. Since the flaw is remotely exploitable via web content, an attacker can exploit it by luring a user to a malicious or compromised website. The vulnerability does not require prior authentication but does require user interaction (visiting the malicious page). Although no exploits have been publicly reported yet, the Chromium security team has rated the severity as high due to the potential for remote code execution and the widespread use of Chrome. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability affects all platforms running the vulnerable Chrome versions, including Windows, macOS, Linux, and Chrome OS. The issue was publicly disclosed on March 4, 2026, and users are advised to update to Chrome 145.0.7632.159 or later where the flaw is patched. The absence of patch links in the provided data suggests users should rely on official Google Chrome update channels for remediation.

The heap buffer overflow in WebCodecs can allow remote attackers to execute arbitrary code within the browser context, potentially leading to full system compromise depending on sandbox escape techniques. This threatens confidentiality by enabling data theft, integrity by allowing malicious code injection or modification, and availability by causing browser crashes or denial of service. Organizations relying heavily on Chrome for web access, especially those handling sensitive data or critical operations, face significant risk. Attackers could leverage this vulnerability to deploy malware, conduct espionage, or disrupt services. The ease of exploitation via crafted web content and the ubiquity of Chrome amplify the threat's scope. Without timely patching, enterprises, governments, and individual users remain vulnerable to targeted or mass exploitation campaigns. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

Organizations should prioritize updating Google Chrome to version 145.0.7632.159 or later immediately to remediate the vulnerability. Employ enterprise patch management systems to enforce timely browser updates across all endpoints. Implement web content filtering and URL reputation services to block access to suspicious or untrusted websites that could host exploit pages. Use browser security features such as site isolation, sandboxing, and strict content security policies to limit the impact of potential exploitation. Monitor network traffic and endpoint behavior for indicators of compromise related to heap corruption or unusual browser crashes. Educate users about the risks of visiting untrusted websites and encourage cautious browsing habits. Consider deploying endpoint detection and response (EDR) solutions capable of detecting exploitation attempts targeting browser vulnerabilities. Regularly review and audit browser extensions and plugins to minimize attack surface. Finally, maintain up-to-date backups and incident response plans to quickly recover from any successful exploitation.