Google Urgently Releases Chrome Update to Patch Three High-Severity Vulnerabilities
In a decisive move to bolster user security, Google has rolled out a critical update for its Chrome browser, addressing three high-severity vulnerabilities that could potentially expose users to significant risks. The update elevates Chrome to version 145.0.7632.116/117 for Windows and macOS users, while Linux users receive version 144.0.7559.116. This release is being progressively distributed over the coming days and weeks.
Understanding the Vulnerabilities
The urgency of this update stems from the nature of the vulnerabilities addressed, each carrying a ‘High’ severity rating—a classification Google reserves for flaws with substantial exploitation potential. Two of these vulnerabilities involve out-of-bounds memory access, a type of bug that can serve as a foundation for remote code execution or sandbox escape when combined with additional exploits.
Detailed Breakdown of the Vulnerabilities
1. CVE-2026-3061: Out-of-Bounds Read in Media Component
Reported by security researcher Luke Francis on February 9, 2026, this vulnerability resides in Chrome’s Media component. Out-of-bounds reads in media processing pipelines are particularly concerning because they can be triggered through maliciously crafted media files or web-based content. This makes drive-by exploitation via compromised websites a realistic attack vector.
2. CVE-2026-3062: Out-of-Bounds Read and Write in Tint (WebGPU Shader Compiler)
Discovered by researcher Cinzinga on February 11, 2026, this flaw affects Tint, the WebGPU shader compiler used internally by Chrome. Out-of-bounds write vulnerabilities in graphics or shader processing can lead to memory corruption, enabling attackers to potentially achieve arbitrary code execution within the renderer process. As WebGPU adoption grows, vulnerabilities in components like Tint represent an expanding attack surface.
3. CVE-2026-3063: Inappropriate Implementation in Chrome DevTools
Reported by M. Fauzan Wijaya (Gh05t666nero) on February 17, 2026, this vulnerability involves an inappropriate implementation in Chrome DevTools. While typically less severe than memory corruption bugs, such flaws in developer tooling can enable cross-origin data leaks, privilege abuse, or the bypass of security boundaries under specific conditions.
Google’s Response and Recommendations
Google has noted that access to detailed bug reports will remain restricted until the majority of users have received the fix. This responsible disclosure practice helps limit the window of exploitation by preventing threat actors from weaponizing technical details before patches are widely deployed.
Users are strongly advised to navigate to `chrome://settings/help` to check their current version and trigger an update manually rather than waiting for the automatic rollout. Enterprise administrators should prioritize pushing this update through their management platforms, given the high severity ratings.
Google also credited its internal security teams for delivering additional fixes through continuous audits, fuzzing, and vulnerability research programs that complement external bug bounty contributions.
