Google has released urgent Chrome updates across desktop and mobile platforms to patch critical vulnerabilities, including CVE-2026-2441 which now has publicly available exploit code and active exploitation.
Google has accelerated security updates for Chrome across all platforms following the public release of exploit code targeting multiple vulnerabilities. The emergency patches come as CISA adds one critical flaw to its Known Exploited Vulnerabilities catalog with a March 10 remediation deadline.
The February 18 desktop update moves Chrome to version 145.0.7632.109/110 for Windows/macOS and 144.0.7559.109 for Linux. This staged rollout addresses three new CVEs beyond the previously disclosed CVE-2026-2441:
- CVE-2026-2648 (High): Heap buffer overflow in PDFium rendering engine
- CVE-2026-2649 (High): Integer overflow in V8 JavaScript engine
- CVE-2026-2650 (Medium): Heap buffer overflow in Media components
Simultaneously, Google updated the Extended Stable channel to version 144.0.7559.220 for Windows and macOS. Mobile users received corresponding protection with Chrome 145.0.7632.109 rolling out via Google Play for Android and version 145.0.7632.108 through the App Store for iOS. Android releases contain identical security fixes to their desktop counterparts unless otherwise specified.
The urgency stems from CVE-2026-2441's escalation to active threat status. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on February 17, requiring federal agencies to implement mitigations by March 10. The NVD entry was updated February 20 to include references to publicly available proof-of-concept exploit code, significantly increasing attack risks.
Heap buffer overflow vulnerabilities like those patched allow attackers to overwrite adjacent memory regions, potentially enabling arbitrary code execution when users visit malicious sites. The V8 integer overflow could similarly lead to memory corruption attacks. Given Chrome's market share and integration with web services, these vulnerabilities present widespread risk.
This update cycle demonstrates Google's rapid response to evolving threats. While the staged rollout may delay full deployment, users should immediately check their Chrome version (via Menu > Help > About Google Chrome) and apply updates. Enterprise administrators should prioritize deploying Extended Stable channel updates to managed devices before CISA's deadline.
Google's official bulletin provides detailed technical information for security teams. Unlike theoretical vulnerabilities, these patches address flaws with known exploit code in circulation, making this update cycle particularly critical for all Chrome users.
Comments
Please log in or register to join the discussion