Product Overview
Product: Google Chrome (Desktop)
Vendor: Google
Affected Versions: All versions earlier than 144.0.7559.132
Platforms: Windows, macOS, Linux
Attack Vector: Remote (via web content)
User Interaction Required: Yes (page visit / content rendering)
Vulnerability Summary
Two high-impact remote code execution vulnerabilities were identified in Google Chrome prior to version 144.0.7559.132. Both issues originate from unsafe memory handling in core browser components responsible for JavaScript execution and media decoding. Under specific conditions, memory corruption may be triggered by crafted web content, potentially allowing arbitrary code execution within the browser’s renderer process.
The vulnerabilities are tracked as:
- CVE-2026-1862 – Type Confusion in the V8 JavaScript Engine
- CVE-2026-1861 – Heap Buffer Overflow in libvpx Video Codec
If exploitation is successful and combined with additional weaknesses, further compromise beyond the browser sandbox may occur.
CVE Details Table
| Field | CVE-2026-1862 | CVE-2026-1861 |
|---|---|---|
| Vulnerability Type | Type Confusion | Heap Buffer Overflow |
| Affected Component | V8 JavaScript Engine | libvpx Video Decoder |
| Impact | Remote Code Execution | Remote Code Execution |
| Attack Vector | Network | Network |
| Privileges Required | None | None |
| User Interaction | Required | Required |
| Severity | High | High |
| CVSS v3.1 Score | 8.8 | 8.8 |
| Scope | Unchanged | Unchanged |
Technical Description
CVE-2026-1862 – Type Confusion (V8)
A type confusion condition was present in the V8 JavaScript engine due to insufficient validation of object types during optimization and execution phases. Under crafted JavaScript execution paths, objects may be incorrectly treated as a different type, leading to unsafe memory access.
By carefully manipulating heap layout and execution timing, arbitrary read/write primitives may be achieved. These primitives can then be leveraged to redirect execution flow and run attacker-controlled code within the renderer process.
CVE-2026-1861 – Heap Overflow (libvpx)
A heap-based buffer overflow existed in the libvpx video decoding library when parsing malformed VP8/VP9 video streams. Improper bounds checking during frame decoding allowed writes beyond allocated heap memory.
When a malicious or malformed video stream is rendered (embedded or autoplayed), heap corruption may occur. With sufficient control, execution flow may be hijacked, leading to code execution in the browser context.
Exploitation Scenario
Exploitation is typically performed by hosting or embedding malicious web content. The following sequence is expected:
- A user is redirected to, or loads, a malicious webpage.
- Crafted JavaScript or media content is delivered to the browser.
- Memory corruption is triggered during script execution or media decoding.
- Controlled heap manipulation is used to gain execution control.
- Malicious payload is executed within the Chrome renderer process.
Further exploitation (such as sandbox escape) would require additional vulnerabilities and is environment-dependent.
Proof of Concept / Exploit Availability
At the time of assessment, no stable public proof-of-concept exploit has been widely released. However, the vulnerability classes involved are well understood, and weaponization is considered feasible by experienced attackers.
Any proof-of-concept code discussed or demonstrated should be treated as educational only and must not be executed outside of controlled research environments.
MITRE ATT&CK Mapping
- Initial Access: T1189 – Drive-by Compromise
- Execution: T1059 – Command and Scripting Interpreter
- Privilege Escalation: T1068 – Exploitation for Privilege Escalation (chained)
- Defense Evasion: T1218 – Signed Binary Proxy Execution
- Impact: T1499 – Endpoint Denial of Service (failed exploitation cases)
Detection Strategy
Detection relies on a combination of endpoint telemetry, browser crash analysis, and network behavior correlation. Since memory corruption exploits are unstable by nature, failed exploitation attempts often generate detectable signals.
Detection Queries
Endpoint Process Monitoring (EDR / XDR)
Detect abnormal child processes spawned by Chrome
SELECT *
FROM process_events
WHERE parent_process_name IN ('chrome.exe','chrome','Google Chrome')
AND process_name IN ('cmd.exe','powershell.exe','sh','bash')
AND event_time > parent_start_time
Browser Crash Correlation
Identify repeated Chrome renderer crashes
SELECT hostname, COUNT(*) AS crash_count
FROM application_logs
WHERE application = 'chrome'
AND message LIKE '%renderer crash%'
GROUP BY hostname
HAVING COUNT(*) > 3
Network Proxy / Secure Web Gateway
Detect suspicious video delivery sources
SELECT src_ip, url, content_type
FROM proxy_logs
WHERE content_type LIKE 'video/%'
AND domain NOT IN (trusted_media_domains)
File and Memory Indicators
Detect unexpected executable writes after browser activity
SELECT *
FROM file_events
WHERE initiating_process_name IN ('chrome.exe','chrome')
AND file_extension IN ('.exe','.dll','.so')
Log Sources Required
- Endpoint Detection & Response (process, file, memory events)
- Browser crash and diagnostic logs
- Secure Web Gateway / Proxy logs
- Asset inventory (browser version tracking)
- SIEM correlation platform
Mitigation and Remediation
- Immediate upgrade to the patched Chrome version is required.
- All systems running affected versions should be considered exposed.
- Browser restarts must be enforced after patch deployment.
- Third-party video and advertising content should be restricted where feasible.
- Endpoint protections should block browser-spawned shells and interpreters.
Official Patch / Upgrade
The vulnerabilities are resolved in Google Chrome version 144.0.7559.132 and later.
Official Patch Link:
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html
Final Takeaway
These vulnerabilities represent high-risk attack vectors due to their remote exploitability and reliance on common browser activity. While no active exploitation has been broadly observed, the technical nature of the flaws makes them attractive targets. Prompt patching, continuous monitoring, and strong endpoint controls are required to reduce risk.
