Google has rushed out a vital security patch for Chrome, fixing three flaws that could let attackers run malicious code on users’ devices.
The Stable Channel update bumps versions to 145.0.7632.109/.110 for Windows and Mac, and 144.0.7559.109 for Linux.
High-severity issues in PDFium, the engine that handles PDF files in Chrome and V8, the speedy JavaScript processor, headline the fixes.
These could stem from booby-trapped websites or documents that turn browsers into hacker gateways.
PDFium flaws often occur when opening tainted PDFs, causing memory overflows that crash apps or, worse, execute arbitrary code remotely.
V8 errors, such as integer overflows, can mess with number handling in web scripts, potentially bypassing Chrome’s defenses and enabling stealthy attacks.
The third issue targets media playback, another common exploit vector. Google rates two as high risk due to real-world abuse potential, keeping bug details under wraps until patches spread widely.
CVE-2026-2648 (CWE-122) triggers during PDF parsing, where invalid bounds allow attackers to remotely overwrite heap memory, potentially chaining to sandbox escape and arbitrary code execution (ACE).
CVE-2026-2649 exploits V8’s integer handling flaws in JavaScript, causing overflows that corrupt heap structures.
Attackers craft HTML pages for zero-click heap manipulation, risking ACE in the render process. V8’s ubiquity amplifies impact across web apps.
CVE-2026-2650 hits media buffers on malformed content, enabling heap corruption via web videos or embeds.
Though medium-rated, it scores 8.8 on the CVSS scale for high confidentiality/integrity/availability effects, with user interaction such as playback.
| CVE ID | Severity | Description |
|---|---|---|
| CVE-2026-2648 | High | Heap buffer overflow in PDFium |
| CVE-2026-2649 | High | Integer overflow in V8 |
| CVE-2026-2650 | Medium | Heap buffer overflow in Media |
According to Google’s advisory, these bugs remain restricted until most users update, per Google’s policy to limit exploitation. Google’s internal team caught the media one via fuzzing tools like libFuzzer and AddressSanitizer.
Chrome’s multi-process sandbox and site isolation blunt many attacks, but zero-days like these test those limits. No active exploits have been confirmed yet, but high-severity browser bugs fuel ransomware and data theft campaigns.
To update, open Chrome, then go to Help > About Google Chrome. It checks and installs automatically, and restarts when prompted. Enterprises can push via Group Policy or MDM tools; turn off auto-updates at your peril.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
