Google has released Chrome 145 to the stable channel for Windows, Mac, and Linux, addressing 11 security vulnerabilities that could enable attackers to execute malicious code on user systems.
The update, rolling out over the coming weeks, includes several high-severity fixes that warrant immediate attention.
The most severe flaw, CVE-2026-2313, is a use-after-free vulnerability in CSS that earned its discoverers an $8,000 bounty.
This high-severity bug could allow attackers to execute arbitrary code by exploiting a flaw in Chrome’s CSS handling.
Researchers from HexHive and the University of St. Andrews identified this critical issue in December 2025.
Two additional high-severity vulnerabilities were patched: CVE-2026-2314, a heap buffer overflow in Codecs, and CVE-2026-2315, an inappropriate implementation in WebGPU.
Google’s internal security team discovered both flaws, which could be exploited to execute code.
| CVE ID | Severity | Vulnerability Type | Component | Bounty |
|---|---|---|---|---|
| CVE-2026-2313 | High | Use after free | CSS | $8,000 |
| CVE-2026-2314 | High | Heap buffer overflow | Codecs | N/A |
| CVE-2026-2315 | High | Inappropriate implementation | WebGPU | N/A |
| CVE-2026-2316 | Medium | Insufficient policy enforcement | Frames | $5,000 |
| CVE-2026-2317 | Medium | Inappropriate implementation | Animation | $2,000 |
| CVE-2026-2318 | Medium | Inappropriate implementation | PictureInPicture | $1,000 |
| CVE-2026-2319 | Medium | Race condition | DevTools | $1,000 |
| CVE-2026-2320 | Medium | Inappropriate implementation | File input | TBD |
| CVE-2026-2321 | Medium | Use after free | Ozone | N/A |
| CVE-2026-2322 | Low | Inappropriate implementation | File input | $1,000 |
| CVE-2026-2323 | Low | Inappropriate implementation | Downloads | $500 |
The update addresses seven medium-severity vulnerabilities, including insufficient policy enforcement in frames and race conditions in DevTools.
Inappropriate implementations across components such as Animation, PictureInPicture, and File input. These issues could enable attackers to bypass security restrictions or manipulate browser behavior.
Two low-severity vulnerabilities in File input and Downloads were also patched, though they pose less immediate risk to users.
Google awarded bounties totaling over $18,500 to security researchers who responsibly disclosed these vulnerabilities.
The highest rewards went to academic researchers and independent security experts who identified critical flaws before they could be exploited in the wild.
Users should update Chrome immediately to version 145.0.7632.45 (Linux) or 145.0.7632.45/46 (Windows/Mac).
The browser typically updates automatically, but users can manually check for updates through Chrome’s settings menu under “About Chrome.”
Google continues to leverage advanced detection tools like AddressSanitizer, MemorySanitizer, and libFuzzer to identify vulnerabilities during development, preventing many security issues from reaching end users.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
