Google has released a critical security update for its Chrome browser, pushing version 145.0.7632.116/117 to Windows and macOS users, while Linux users receive version 144.0.7559.116.
The update, which is rolling out progressively over the coming days and weeks, addresses three high-severity vulnerabilities that could expose users to significant risk if left unpatched.
The update carries considerable urgency given that all three CVEs are rated High severity, a classification Google reserves for vulnerabilities with significant exploitation potential.
Two of the flaws involve out-of-bounds memory access, a class of bug that frequently serves as a foundation for remote code execution or sandbox escape chains when combined with additional exploits.
Organizations and individual users running Chrome on Windows or macOS are strongly advised to verify their browser version and apply the update as soon as it becomes available in their region.
Google Chrome Emergency Security Update
The first issue, CVE-2026-3061, is an out-of-bounds read vulnerability in Chrome’s Media component, reported by security researcher Luke Francis on February 9, 2026.
Out-of-bounds reads in media processing pipelines are particularly concerning because they can be triggered through maliciously crafted media files or web-based content, making drive-by exploitation via compromised websites a realistic attack vector.
CVE-2026-3062 affects Tint, the WebGPU shader compiler used internally by Chrome, and involves both out-of-bounds read and write conditions. Reported by researcher Cinzinga on February 11, 2026, this flaw is arguably the most technically severe of the three.
Out-of-bounds write vulnerabilities in graphics or shader processing can lead to memory corruption, enabling attackers to potentially achieve arbitrary code execution within the renderer process. As WebGPU adoption grows, vulnerabilities in components like Tint represent an expanding attack surface.
The third vulnerability, CVE-2026-3063, involves an inappropriate implementation in Chrome DevTools, reported by M. Fauzan Wijaya (Gh05t666nero) on February 17, 2026.
While this category is typically less severe than memory corruption bugs, inappropriate implementations in developer tooling can enable cross-origin data leaks, privilege abuse, or the bypass of security boundaries under specific conditions.
Google has noted that access to detailed bug reports will remain restricted until the majority of users have received the fix. This responsible disclosure practice helps limit the window of exploitation by preventing threat actors from weaponizing technical details before patches are widely deployed.
CVE IDSeverityAffected ComponentDescriptionReporterCVE-2026-3061HighMediaOut-of-bounds readLuke FrancisCVE-2026-3062HighTint (WebGPU)Out-of-bounds read and writecinzingaCVE-2026-3063HighDevToolsInappropriate implementationM. Fauzan Wijaya (Gh05t666nero)
Users should navigate to chrome://settings/help to check their current version and trigger an update manually rather than waiting for the automatic rollout.
Enterprise administrators should prioritize pushing this update through their management platforms, given the High severity ratings. Google also credited its internal security teams for delivering additional fixes through continuous audits, fuzzing, and vulnerability research programs that complement external bug bounty contributions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Google Chrome Emergency Security Update Patches Three High-Severity Vulnerabilities appeared first on Cyber Security News.
