Google Chrome Emergency Security Update Patches High-Severity PDFium and V8 Vulnerabilities
3 min. read 
Published on
Google rolled out an emergency security update for Chrome Stable Channel on February 17, 2026. This patch targets three vulnerabilities. Two high-severity flaws sit in PDFium and V8 engines. They could allow arbitrary code execution through crafted files. Users must update to versions 145.0.7632.109/.110 on Windows and Mac. Linux users need 144.0.7559.109.
The update rolls out globally now. Google follows its 24-hour disclosure policy. Full bug details stay restricted until most users patch. This blocks attackers from crafting exploits. The official Chrome Releases blog lists the CVEs. It urges immediate updates for all platforms.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
PDFium handles PDF rendering in Chrome. V8 powers JavaScript execution across sites. Attackers love these for memory corruption. Heap buffer overflows write past allocated space. Integer overflows corrupt data or bypass checks. No in-the-wild exploits appear yet. Risks rise with disclosure.
Google’s Chrome team posted the announcement. “Stable channel updated to 145.0.7632.109 for Windows… with 3 security fixes.”
NIST NVD entries confirm severity:
- CVE-2026-2648 (PDFium Heap Buffer Overflow)
- CVE-2026-2649 (V8 Integer Overflow)
- CVE-2026-2650 (Media Heap Buffer Overflow)
Vulnerable Versions Table
| Platform | Vulnerable Up To | Fixed Version |
|---|---|---|
| Windows | 145.0.7632.108 | 145.0.7632.109/.110 |
| Mac | 145.0.7632.108 | 145.0.7632.109/.110 |
| Linux | 144.0.7559.108 | 144.0.7559.109 |
Detailed Vulnerability Breakdown
| CVE ID | Severity | Component | Trigger Method | Reporter | Report Date |
|---|---|---|---|---|---|
| CVE-2026-2648 | High | PDFium | Crafted PDF file | Soiax | 2026-01-19 |
| CVE-2026-2649 | High | V8 | Crafted HTML page | JunYoung Park (@candymate), KAIST Hacking Lab | 2026-02-03 |
| CVE-2026-2650 | Medium | Media | Crafted HTML page | Google internal discoverer | 2026-01-18 |
These issues need user interaction. Open a malicious PDF or page to trigger. AddressSanitizer tools helped detect them.
Step-by-Step Update Instructions
- Open Chrome.
- Click three dots top-right.
- Choose Help > About Google Chrome.
- Browser checks and downloads updates.
- Relaunch to activate patches.
Enterprise admins:
- Deploy via Chrome policies.
- Verify at chrome://policy.
- Use Google Update for bulk pushes.
Why These Patches Matter
Chrome commands 65% browser market share. V8 also runs in Node.js apps. PDFium flaws repeat patterns from past years. High CVSS scores demand fast fixes. Auto-updates cover 70% users in days. Delays expose systems. Embedded Chrome in apps like email clients amplifies reach.
Linux distros package Chrome separately. Check repos too. Developers test sites with latest versions.
User Impact and Risks
Regular users face low threat sans bad files. PDF workflows or script-heavy sites raise odds. No zero-days confirmed. Past patches saw quick attacks. Update now cuts that window.
FAQ
Three memory flaws: two high-severity in PDFium/V8, one medium in Media.
Windows/Mac: 145.0.7632.109/.110. Linux: 144.0.7559.109.
No reports. Details restricted to prevent them.
Desktop Stable only. Update apps via stores.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages