Google Chrome Emergency Patch Fixes 3 High-Severity Vulnerabilities
2 min. read 
Published on
Google rolled out Chrome version 145.0.7632.116/117 for Windows and macOS, plus 144.0.7559.116 for Linux. The update patches three High-severity flaws with significant exploitation risk. All CVEs carry urgent priority due to memory corruption potential.
CVE-2026-3061 targets Chrome’s Media component with out-of-bounds read issues. Researcher Luke Francis reported it on February 9, 2026. Malicious media files or web content trigger crashes and potential sandbox escapes remotely.
CVE-2026-3062, the most severe, hits Tint WebGPU shader compiler. Cinzinga disclosed out-of-bounds read/write flaws on February 11, 2026. Graphics processing corruption enables renderer code execution. WebGPU expansion creates growing attack surface.
CVE-2026-3063 affects DevTools with inappropriate implementation. M. Fauzan Wijaya (Gh05t666nero) found it February 17, 2026. Developer tooling flaws risk cross-origin leaks or security boundary bypass.
Google restricts technical details until most users update. This responsible disclosure shrinks weaponization windows significantly.
Chrome Vulnerabilities Table
| CVE ID | Severity | Component | Type | Reporter |
|---|---|---|---|---|
| CVE-2026-3061 | High | Media | Out-of-bounds read | Luke Francis |
| CVE-2026-3062 | High | Tint (WebGPU) | Read/write OOB | cinzinga |
| CVE-2026-3063 | High | DevTools | Inappropriate impl | M. Fauzan Wijaya |
Out-of-bounds flaws chain into RCE frequently. Media vectors enable drive-by attacks via compromised sites. WebGPU bugs grow critical as adoption accelerates across browsers.
Update rollout spans days to weeks automatically. Manual check via chrome://settings/help forces immediate deployment. Restart required for full protection.
Enterprises face highest exposure through managed fleets. Patch deployment via MDM platforms prevents mass exploitation. Internal Google fuzzing found additional fixes beyond external reports.
Chrome commands 65%+ global share. Unpatched users remain prime targets through March. Threat actors weaponize memory bugs within hours of disclosure typically.
Update Priority Actions
- Navigate chrome://settings/help and relaunch immediately
- Enterprise admins push via management consoles now
- Verify version: Win/Mac 145.0.7632.116/117, Linux 144.0.7559.116
- Chromium browsers (Edge, Brave, Opera) expect similar patches
- Monitor exploit attempts through crash reports and telemetry
High-severity classification signals active threat monitoring. Google Threat Analysis Group watches zero-click chaining attempts. Renderer escapes remain top priority.
Developers using DevTools face privilege abuse risks. WebGPU creators test shaders cautiously until fleets update. Media-heavy sites audit embedded content rigorously.
FAQ
Windows/macOS: 145.0.7632.116/117. Linux: 144.0.7559.116.
WebGPU out-of-bounds read/write in Tint enables renderer code execution.
chrome://settings/help → relaunch browser. Do not wait for auto-rollout.
No. Google restricts until majority patch deployment completes.
Tint WebGPU shader compiler (CVE-2026-3062) per technical severity.
MDM platforms force immediate patch across managed fleets.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages