Severity
High
Analysis Summary
Google has rolled out a critical security update for the Chrome Stable channel to address two high-severity vulnerabilities that could allow attackers to execute arbitrary code or crash the browser. The update raises Chrome to version 144.0.7559.132/.133 on Windows and macOS, and 144.0.7559.132 on Linux. Google stated that the fix will be deployed gradually over the coming days and weeks. Both issues stem from memory corruption flaws in core browser components, making them particularly dangerous if exploited.
The patched vulnerabilities can be triggered when a user visits a specially crafted malicious website, with exploitation occurring inside Chrome’s renderer process. While the sandbox limits direct system access, memory corruption bugs are often used as an initial step in multi-stage attacks. The vulnerabilities were rated High severity due to their potential to enable arbitrary code execution or cause denial-of-service conditions.
The most critical issue, CVE-2026-1862, affects Google’s V8 JavaScript and WebAssembly engine and involves a type confusion flaw. By confusing how V8 interprets data types, an attacker can manipulate memory pointers and perform out-of-bounds memory access. This can allow reading or writing of unintended memory regions, potentially leading to arbitrary code execution within the sandbox. The vulnerability was reported by a security researcher, highlighting continued risks in complex JavaScript engine logic.
The second flaw, CVE-2026-1861, is a heap buffer overflow in libvpx, the library responsible for VP8 and VP9 video decoding. An attacker could craft a malicious video stream embedded in a webpage, causing Chrome to write beyond allocated heap memory during video processing. While this typically results in a browser crash (DoS), it could be combined with other vulnerabilities to achieve code execution. Google has not confirmed active exploitation, but restricted disclosure and the nature of these bugs suggest a high risk of weaponization, making prompt updates strongly recommended.
Impact
- Code Execution
- Denial of Service
- Buffer Overflow
Indicators of Compromise
CVE
CVE-2026-1861
CVE-2026-1862
Affected Vendors
Remediation
- Immediately update Google Chrome to version 144.0.7559.132/.133 on Windows and macOS, and 144.0.7559.132 on Linux to ensure both vulnerabilities are fully patched.
- Enable automatic Chrome updates across all systems to reduce exposure time to newly discovered high-severity vulnerabilities.
- Restrict users from visiting untrusted or unknown websites, as exploitation requires interaction with a maliciously crafted webpage.
- Apply endpoint protection and browser isolation controls to limit the impact of potential renderer-level exploitation.
- Monitor security logs and endpoint telemetry for abnormal browser crashes or suspicious behavior that may indicate exploitation attempts.
- Keep operating systems and underlying libraries fully patched and up to date to reduce the effectiveness of exploit chaining.
- In enterprise environments, enforce centralized patch management and browser version compliance through group policies or MDM solutions.