Google has rolled out a critical emergency update for Chrome, addressing three high-severity vulnerabilities that could expose millions of users to remote code execution (RCE) and data leaks.
The Stable channel now updates to version 145.0.7632.116/117 on Windows and Mac, and 144.0.7559.116 on Linux. This patch deploys gradually over days or weeks. Check chrome://settings/help to force an update immediately.
These fixes target memory corruption and implementation flaws, common vectors for zero-day exploits. Details remain partially restricted until most users update, per Chromium’s policy, but the Chrome Releases blog highlights the risks. All three earned “High” severity ratings, with CVEs assigned: CVE-2026-3061, CVE-2026-3062, and CVE-2026-3063.
Google Chrome Three High-Severity Flaws
- CVE-2026-3061: Out-of-Bounds Read in Media (High)
Reported by Luke Francis on February 9, 2026. This flaw in Chrome’s Media subsystem allows attackers to read data beyond allocated memory buffers. Triggered by malicious media files (e.g., crafted WebM videos), it could leak sensitive memory, such as authentication tokens or keystrokes. Exploitation chains with a renderer exploit might enable sandbox escape, leading to full system compromise. Mitigation involved bounds-checking enhancements in the media parser. - CVE-2026-3062: Out-of-Bounds Read/Write in Tint (High)
Disclosed by Cinzinga on February 11, 2026. Tint, Chrome’s Vulkan/WebGPU shader compiler, suffered heap buffer overflows. Attackers could manipulate shader inputs via WebGPU APIs on supported hardware, corrupting adjacent memory. This dual read/write primitive is prone to info leaks or arbitrary writes, potentially bypassing ASLR and DEP. The patch tightens array indexing and validation in Tint’s codegen. - CVE-2026-3063: Inappropriate Implementation in DevTools (High)
Found by M. Fauzan Wijaya (Gh05t666nero) on February 17, 2026. DevTools’ protocol handling lacked proper input sanitization, enabling DOM-based cross-site scripting (XSS) or UI redressing. Remote sites could inject payloads if DevTools were open, exposing debug sessions or exfiltrating local data. Fixes enforce stricter CSP and input filtering.
Google credits these researchers through its Vulnerability Reward Program and notes that internal tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity (CFI), libFuzzer, and AFL also detected additional fixes. Fuzzing remains key, simulating malformed inputs to catch edge cases before a stable release.
| CVE ID | Component | Severity | Reporter(s) | Bug ID | Potential Impact |
|---|---|---|---|---|---|
| CVE-2026-3061 | Media | High | Luke Francis | 482862710 | Memory leak via malicious media; possible sandbox escape with chaining. |
| CVE-2026-3062 | Tint (WebGPU) | High | cinzinga | 483751167 | Heap corruption via shaders; info leak or arbitrary write. |
| CVE-2026-3063 | DevTools | High | M. Fauzan Wijaya (Gh05t666nero) | 485287859 | DOM XSS or UI manipulation if DevTools open; session exposure. |
Technical Implications and Best Practices
For enterprises, these flaws underscore the limits of renderer isolation. Media and WebGPU run in high-privilege sandboxes. Attackers favor drive-by downloads: lure users to rigged sites, trigger flaws silently. Post-exploit, stolen memory fuels phishing or ransomware.
Update ASAP; auto-updates cover 98% of users, but test in staging. Disable unused features like WebGPU (chrome://flags) and DevTools auto-open. Pair with endpoint detection (e.g., Chrome Enterprise policies) and monitor via Chromium’s security page.
Site: cybersecuritypath.com
Reference: Source
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
