CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-3062

CVSS 9.8v3.1pub. 2026-02-23upd. 2026-02-25

Out of bounds read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

🤖 AI Analysis
How it works

The bug consists of improper memory handling (out of bounds read and out of bounds write — CWE-125 and CWE-787) in the Tint module responsible for graphics rendering in Chrome browser. An attacker delivers a specially crafted HTML page, whose processing by the vulnerable component causes access to memory areas exceeding the allocated buffer. This operation can be performed remotely, without user interaction beyond visiting the page itself, and requires no special privileges.

Impact

Successful exploitation of the vulnerability may allow an attacker to perform unauthorized read and write operations in the browser process memory, potentially leading to disclosure of sensitive data, data integrity violation, and arbitrary code execution (RCE) or application destabilization.

Mitigation & patch

Google Chrome should be updated to version 145.0.7632.116 or newer, available through the browser's official update channel. Details in the manufacturer's references: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html

Who is affected

Google Chrome on macOS in versions earlier than 145.0.7632.116

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    wszystkie wersje
  • Google Chrome

    APP
    Google
    < 145.0.7632.116< 145.0.7632.117
  • Linux Kernel

    OS
    Linux
    wszystkie wersje
  • Microsoft Windows

    OS
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach