Google Patches High-Severity Remote Code Execution Flaws in Chrome

Google released a security update for the Chrome browser on February 3, 2026, to patch two high-severity vulnerabilities. 

Vulnerabilities summary:

• CVE-2026-1861 (CVSS score 8.8, Google severity High) - A heap buffer overflow in the libvpx library that occurs when processing VP8 and VP9 video compression. Attackers can trigger this by providing a crafted video file that writes data beyond the allocated memory buffer, leading to memory corruption. This allows an attacker to crash the browser or execute arbitrary code with the user's privileges.
• CVE-2026-1862 (CVSS score 8.8, Google severity High) - A type confusion vulnerability in the V8 JavaScript engine that happens when the engine incorrectly handles an object as a different type. By providing malicious JavaScript, an attacker can manipulate memory to bypass security boundaries and execute unauthorized instructions. This can lead to data theft or full application compromise.

These flaws affect the Chromium-based desktop versions for Windows, macOS, and Linux. This update is published as Google Chrome versions 144.0.7559.132/.133 on Windows and macOS, and version 144.0.7559.132 on Linux. Other browsers built on the Chromium engine, such as Microsoft Edge, Brave, and Vivaldi, are likely affected and will need their own updates. 

Exploiting these flaws is as simple as visiting a malicious website and loading the malicious content. So far Google has not detected active exploitation in the wild.

Google is withholding full technical details and proof-of-concept code to stop attackers from building exploits before most users have patched their systems.

Users should update their browsers as soon as possible.