Google Rushes Emergency Chrome Update to Fix Three High-Severity Security Flaws
Posted: Wed Feb 25, 2026 12:16 am
Google has rolled out an emergency security update for its Chrome browser, addressing three high-severity vulnerabilities that could expose users to serious risks.
This patch targets Windows, Mac, and Linux platforms, fixing flaws that threaten system security and user data.
The quick rollout reflects the constant pressure on browser makers to counter advanced threats like remote code execution and data leaks.
Chrome’s stable channel now reaches version 145.0.7632.116/117 for Windows and Mac, while Linux users get 144.0.7559.116.
As noted in Google’s release notes, the update will roll out gradually over days and weeks. Users should restart their browsers and check for updates immediately to stay safe.
These vulnerabilities highlight Chrome’s role as a prime target for attackers, given its massive user base.
Delaying patches could allow exploits in the wild, leading to malware infections or stolen credentials.
Google’s proactive stance aligns with industry trends, where zero-day flaws often surface before patches do.
Critical Vulnerabilities Patched
The update tackles three high-severity issues, each with potential for exploitation. First, CVE-2026-3061 is an out-of-bounds read in the Media component.
This error happens when code accesses memory beyond allocated buffers, risking crashes or info leaks from nearby data. Reporter Luke Francis flagged it, preventing scenarios where attackers dump sensitive memory.
Second, CVE-2026-3062 combines out-of-bounds read and write flaws in Tint, Chrome’s shader translation engine.
Reads expose data, but writes enable memory corruption; attackers could overwrite code to run arbitrary commands, hijacking the browser and system.
Discovered by Cinzinga, this dual-threat demands urgent fixes to block remote code execution chains.
Third, CVE-2026-3063 stems from an inappropriate implementation in DevTools, the browser’s debugging suite.
Flawed logic here could let sites bypass sandbox limits, steal session tokens, or tamper with developer tools. M. Fauzan Wijaya (Gh05t666nero) reported it, averting risks to pros and everyday users alike.
Google withholds exploit details until most users update, thwarting reverse-engineering by threat actors. This “responsible disclosure” buys time for defenses.
The company credits these independent researchers, underscoring bug bounties’ role in hardening software.
To update, go to chrome://settings/help or use platform auto-updates. Enterprises should scan fleets via tools like Google Update policies.
With Chrome’s market dominance, these patches shield billions from phishing-to-RCE kill chains.
Source: https://cyberpress.org/google-rushes-em ... me-update/
This patch targets Windows, Mac, and Linux platforms, fixing flaws that threaten system security and user data.
The quick rollout reflects the constant pressure on browser makers to counter advanced threats like remote code execution and data leaks.
Chrome’s stable channel now reaches version 145.0.7632.116/117 for Windows and Mac, while Linux users get 144.0.7559.116.
As noted in Google’s release notes, the update will roll out gradually over days and weeks. Users should restart their browsers and check for updates immediately to stay safe.
These vulnerabilities highlight Chrome’s role as a prime target for attackers, given its massive user base.
Delaying patches could allow exploits in the wild, leading to malware infections or stolen credentials.
Google’s proactive stance aligns with industry trends, where zero-day flaws often surface before patches do.
Critical Vulnerabilities Patched
The update tackles three high-severity issues, each with potential for exploitation. First, CVE-2026-3061 is an out-of-bounds read in the Media component.
This error happens when code accesses memory beyond allocated buffers, risking crashes or info leaks from nearby data. Reporter Luke Francis flagged it, preventing scenarios where attackers dump sensitive memory.
Second, CVE-2026-3062 combines out-of-bounds read and write flaws in Tint, Chrome’s shader translation engine.
Reads expose data, but writes enable memory corruption; attackers could overwrite code to run arbitrary commands, hijacking the browser and system.
Discovered by Cinzinga, this dual-threat demands urgent fixes to block remote code execution chains.
Third, CVE-2026-3063 stems from an inappropriate implementation in DevTools, the browser’s debugging suite.
Flawed logic here could let sites bypass sandbox limits, steal session tokens, or tamper with developer tools. M. Fauzan Wijaya (Gh05t666nero) reported it, averting risks to pros and everyday users alike.
Google withholds exploit details until most users update, thwarting reverse-engineering by threat actors. This “responsible disclosure” buys time for defenses.
The company credits these independent researchers, underscoring bug bounties’ role in hardening software.
To update, go to chrome://settings/help or use platform auto-updates. Enterprises should scan fleets via tools like Google Update policies.
With Chrome’s market dominance, these patches shield billions from phishing-to-RCE kill chains.
Source: https://cyberpress.org/google-rushes-em ... me-update/