Three Vulnerabilities Could Allow Remote Code Execution
Google has released an urgent Chrome security update fixing three vulnerabilities that could allow attackers to run malicious code on user devices.
The Stable Channel is now updated to version 145.0.7632.109/.110 for Windows and Mac, and 144.0.7559.109 for Linux.
Two high-severity flaws affect PDFium (Chrome’s PDF engine) and V8 (its JavaScript engine). A third issue impacts media processing. These bugs could be triggered through malicious websites, booby-trapped PDF files, or crafted media content.
What Was Fixed
- CVE-2026-2648 (High) – Heap buffer overflow in PDFium during PDF parsing. Attackers could exploit invalid memory bounds to overwrite heap memory and potentially achieve remote code execution.
- CVE-2026-2649 (High) – Integer overflow in V8. Crafted HTML or JavaScript could corrupt memory structures, possibly leading to code execution within the render process.
- CVE-2026-2650 (Medium, CVSS 8.8) – Heap buffer overflow in media handling. Malformed video or embedded content could trigger memory corruption during playback.
Google has restricted detailed technical information until most users update, reducing the risk of active exploitation. The media vulnerability was discovered internally using fuzzing tools such as libFuzzer and AddressSanitizer.
While Chrome’s sandboxing and site isolation mechanisms help reduce impact, high-severity browser flaws remain attractive targets for ransomware groups and data-theft campaigns. There are currently no confirmed reports of active exploitation.
How to Update
Open Chrome and go to Help > About Google Chrome. The browser will automatically check for updates and prompt for a restart.
Enterprise administrators can deploy patches using Group Policy or MDM tools. Delaying browser updates increases exposure risk, especially with high-severity memory corruption vulnerabilities.
Leave A Comment