Chrome Alert: High-Severity Flaws in Media and Tint Engine Trigger Emergency Update
Do Son 
Google has officially announced an important update for the Chrome Stable channel, addressing three high-severity security vulnerabilities that could compromise user data and system stability. The update, which brings the browser to version 145.0.7632.116/117 for Windows and Mac and 144.0.7559.116 for Linux, is expected to reach the global user base over the coming days and weeks.
In a move to protect the ecosystem, Google is currently withholding full technical specifics. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company stated, noting that restrictions remain if flaws exist in shared third-party libraries that have not yet been patched.
The update focuses on three distinct areas of the browser—Media, the Tint graphics engine, and the DevTools suite—each presenting a “High” risk level to the end-user.
- Memory Corruption in Media (CVE-2026-3061)
Reported by researcher Luke Francis on February 9, 2026, CVE-2026-3061 involves an “Out of bounds read” within Chrome’s Media component.An out-of-bounds read occurs when a program reads data past the end, or before the beginning, of the intended buffer. In the context of media playback, this could allow an attacker to craft a malicious video or audio file that, when rendered by the browser, leaks sensitive information from the system’s memory. - Tint Component Instability (CVE-2026-3062)
Perhaps the most versatile of the three, CVE-2026-3062 was identified by the researcher “cinzinga” on February 11, 2026. This flaw represents both an “Out of bounds read and write” in Tint, the compiler used for the WebGPU Shading Language (WGSL). While a “read” leaks data, a “write” vulnerability is significantly more dangerous, as it allows an attacker to modify memory. This can lead to the corruption of valid data, intentional system crashes, or even the redirection of the application’s execution flow to run malicious code. - DevTools Implementation Flaw (CVE-2026-3063)
Rounding out the patches is CVE-2026-3063, reported by M. Fauzan Wijaya (Gh05t666nero) on February 17, 2026. Classified as an “Inappropriate implementation” in DevTools, this vulnerability suggests a logic error in how the browser’s developer tools interact with the rest of the system.
Inappropriate implementations can often lead to “sandbox escapes,” where an attacker uses the developer interface to bypass the security boundaries that usually keep web content isolated from the underlying operating system.
Because these vulnerabilities are rated as High-severity, the window for potential exploitation is narrow. Google’s policy of withholding details is a direct attempt to prevent cybercriminals from reverse-engineering the patch to create functional exploits before users have had a chance to update.
To ensure your browser is protected:
- Check for Updates: Navigate to Chrome > About Google Chrome to trigger a manual update check.
- Relaunch: Remember that the update is not fully applied until the browser is completely closed and restarted.
- Enable Automatic Updates: Ensure your system is set to apply these critical patches as soon as they become available.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
