Do Son 
Google has officially promoted Chrome 145 to the stable channel, rolling out a fresh wave of defenses for billions of users across Windows, Mac, and Linux. This update isn’t just about new features; it brings critical reinforcements under the hood, squashing 11 security vulnerabilities, including three high-severity flaws that could leave browsers exposed to exploitation.
The update brings the browser to version 145.0.7632.45 for Linux and 145.0.7632.45/.46 for Windows and Mac, with the rollout expected to complete over the coming days.
Leading the security charge are three “High” severity vulnerabilities that target core components of the browsing experience: how Chrome handles styles, video, and graphics.
- CSS “Use After Free” (CVE-2026-2313): The most lucrative bug of the bunch, this vulnerability in the CSS engine earned its discoverers a $8,000 bounty. Researchers Han Zheng (HexHive), Wenhao Fang (University of St. Andrews), and Qinying Wang (HexHive) identified a “Use after free” memory corruption issue, a class of bug often used by attackers to execute arbitrary code.
- Codec Corruption (CVE-2026-2314): Internal Google researchers uncovered a “Heap buffer overflow” in Chrome’s Codecs. Buffer overflows are a classic attack vector, potentially allowing malicious media files to crash a browser or run unauthorized commands.
- WebGPU Implementation (CVE-2026-2315): As browsers increasingly rely on the GPU for heavy lifting, the security of these interfaces is paramount. Google’s team patched an “Inappropriate implementation” in WebGPU, closing a gap in how the browser handles advanced graphics.
Beyond the high-severity flaws, the update addresses several “Medium” risks that could be abused to bypass security policies or spoof UI elements.
- Frames (CVE-2026-2316): Researcher Luan Herrera earned $5,000 for finding “Insufficient policy enforcement in Frames,” highlighting potential weaknesses in how Chrome isolates different parts of a webpage.
- Animation (CVE-2026-2317): A $2,000 bounty was awarded to Brendan Draper for an issue in Chrome’s Animation engine.
- PictureInPicture (CVE-2026-2318): Shaheen Fazim took home $1,000 for identifying an inappropriate implementation in the PictureInPicture feature, which allows videos to float over other windows.
With vulnerabilities spanning from CSS rendering to video codecs, the attack surface in this release is diverse. Users are advised to force an update immediately by navigating to Settings > Help > About Google Chrome to ensure they are running version 145.0.7632.45 or higher.
Related Posts:
- Google Patches 23-Year-Old Chrome Vulnerability That Leaked Browsing History
- Roundcube Alert: High-Severity SVG XSS and CSS Sanitizer Flaws Threaten Webmail Privacy
- Critical RCE Flaw (CVSS 9.8) in QNX SDP Exposes Automotive & IoT Systems to Attack!
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
