Google has released a critical security update for the Chrome Stable channel, addressing two high-severity vulnerabilities that expose users to potential arbitrary code execution (ACE) and denial-of-service (DoS) attacks.
The update pushes the browser version to 144.0.7559.132/.133 for Windows and macOS, and 144.0.7559.132 for Linux.
The technology giant confirmed that the rollout will occur over the coming days and weeks. These patches specifically target memory corruption issues within the browser’s JavaScript engine and video processing libraries.
The update resolves two specific security flaws, both classified as “High” severity. Successful exploitation of these vulnerabilities typically requires a user to visit a specially crafted website, which can trigger the exploit within the browser’s renderer process.
CVE-2026-1862: Type Confusion in V8
The most significant flaw is located in V8, Google’s open-source high-performance JavaScript and WebAssembly engine. Type Confusion vulnerabilities occur when the engine is tricked into accessing a memory resource using an incompatible type for example, treating an integer as a pointer.
Attackers frequently leverage V8 type confusion bugs to manipulate memory pointers. This manipulation allows them to read or write memory out of bounds, potentially leading to arbitrary code execution within the sandboxed environment. This vulnerability was reported by researcher Chaoyuan Peng (@ret2happy).
CVE-2026-1861: Heap Buffer Overflow in libvpx
The second vulnerability resides in libvpx, the reference software library for the VP8 and VP9 video coding formats. A heap buffer overflow occurs when a process attempts to write more data to a fixed-length memory buffer than it can hold.
In this context, an attacker could embed a malformed video stream on a webpage. When Chrome attempts to process this video using libvpx, the overflow could corrupt adjacent memory on the heap. This usually results in a browser crash (DoS) but can also be chained with other exploits to achieve code execution.
| CVE ID | Severity | Description | Component | Reported By |
|---|---|---|---|---|
| CVE-2026-1862 | High | Type Confusion | V8 Engine | Chaoyuan Peng |
| CVE-2026-1861 | High | Heap Buffer Overflow | libvpx | Google Internal |
Mitigations
Google has not disclosed whether these exploits are currently being used in the wild (zero-day status), keeping bug details restricted until a majority of the user base has updated. However, given the nature of V8 and heap overflow vulnerabilities, the risk of weaponization remains high.
Enterprise administrators and users are advised to update immediately. To verify the installation:
- Open Chrome and navigate to Menu > Help > About Google Chrome.
- Ensure the browser checks for updates and restarts to apply version 144.0.7559.132 or later.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
