CVE-2026-0902
📋 TL;DR
This vulnerability in Chrome's V8 JavaScript engine allows attackers to read memory outside intended boundaries via malicious web pages. It affects all Chrome users on vulnerable versions, potentially exposing sensitive data. The attack requires user interaction by visiting a crafted website.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, data exfiltration, or installation of persistent malware.
Likely Case
Information disclosure through memory reading, potentially exposing session tokens, passwords, or other sensitive data in browser memory.
If Mitigated
Limited impact with proper sandboxing and exploit mitigations; browser crash or tab termination.
🎯 Exploit Status
Exploitation requires JavaScript execution and memory manipulation knowledge. No public exploits known at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 144.0.7559.59 and later
Vendor Advisory: https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html
Restart Required: Yes
Instructions:
1. Open Chrome menu > Help > About Google Chrome. 2. Wait for update check. 3. Click 'Relaunch' when update downloads. 4. Verify version is 144.0.7559.59 or higher.
🔧 Temporary Workarounds
Disable JavaScript
allPrevents exploitation by blocking JavaScript execution on untrusted sites
chrome://settings/content/javascript > Block
Use Site Isolation
allEnforces process separation between websites to limit impact
chrome://flags/#site-isolation-trial-opt-out > Disabled
🧯 If You Can't Patch
- Use alternative browsers until patching possible
- Implement network filtering to block known malicious domains
🔍 How to Verify
Check if Vulnerable:
Check Chrome version in menu > Help > About Google ChromeCheck Version:
On Windows: "chrome://version/" in address bar; On Linux: google-chrome --version; On macOS: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --versionVerify Fix Applied:
Confirm version is 144.0.7559.59 or higher in About dialog📡 Detection & Monitoring
Log Indicators:
- Chrome crash reports with V8-related errors
- Unexpected memory access patterns in system logs
Network Indicators:
- Requests to domains hosting obfuscated JavaScript
- Unusual outbound connections after visiting specific sites
SIEM Query:
source="chrome_logs" AND (error="V8" OR error="out_of_bounds") OR process="chrome" AND memory_access_violation