Login Sign Up

CVE-2026-2649

8.8 HIGH

📋 TL;DR

An integer overflow vulnerability in Chrome's V8 JavaScript engine allows remote attackers to trigger heap corruption via malicious HTML pages. This could lead to arbitrary code execution or browser crashes. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: Prior to 145.0.7632.109
Operating Systems: Windows, macOS, Linux, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default Chrome configurations are vulnerable. Chromium-based browsers may also be affected if using vulnerable V8 versions.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise if combined with other vulnerabilities.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption that could be leveraged for information disclosure.

🟢

If Mitigated

Browser sandboxing limits impact to Chrome process only, preventing full system compromise in most configurations.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user to visit malicious webpage. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 145.0.7632.109

Vendor Advisory: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click menu (three dots) → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution in Chrome to prevent exploitation

chrome://settings/content/javascript → Toggle to 'Blocked'

Use Site Isolation

all

Enable Site Isolation to limit impact of memory corruption

chrome://flags/#enable-site-per-process → Enable

🧯 If You Can't Patch

  • Use alternative browser temporarily
  • Implement network filtering to block suspicious websites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in About Google Chrome page. If version is below 145.0.7632.109, system is vulnerable.

Check Version:

chrome://version/

Verify Fix Applied:

Confirm Chrome version is 145.0.7632.109 or higher in About Google Chrome page.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Process termination events
  • Memory access violation logs

Network Indicators:

  • Requests to known malicious domains hosting exploit code
  • Unusual JavaScript execution patterns

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination") AND version<"145.0.7632.109"

📊 Metadata

CVE ID: CVE-2026-2649
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-472
Published: February 18, 2026
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2649, you might also want to check these:

CVE-2021-1289 9.8

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code as roo...

Same vulnerability type (CWE-472)
CVE-2021-1291 9.8

This vulnerability allows unauthenticated remote attackers to execute arbitrary code as root on affe...

Same vulnerability type (CWE-472)
CVE-2021-1293 9.8

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code as roo...

Same vulnerability type (CWE-472)