Google Chrome Security Alert: Critical Heap Corruption Vulnerabilities Demand Immediate Updates (February 2026)

Executive Summary

Google has released an emergency security update for Chrome (version 144.0.7559.132/.133), patching two high-severity vulnerabilities that could allow attackers to execute arbitrary code on your computer simply by getting you to visit a malicious webpage. If you haven't updated Chrome in the past week, stop reading and update now—this article will still be here when you get back.

The vulnerabilities—CVE-2026-1861 (heap buffer overflow in libvpx) and CVE-2026-1862 (type confusion in V8)—represent the kind of critical browser flaws that make security researchers lose sleep. Both can be triggered remotely through specially crafted HTML pages, requiring no downloads, no file execution, and minimal user interaction.

In this comprehensive guide, we'll break down exactly what these vulnerabilities are, how they work, who's affected, and most importantly—how to protect yourself and your organization.

The Bottom Line: What You Need to Know

The TL;DR for busy readers:

Immediate Actions:

1. ✅ Open Chrome → Settings → About Google Chrome
2. ✅ Let it update to version 144.0.7559.132 or higher
3. ✅ Click "Relaunch" to apply the update
4. ✅ If you use Edge, Brave, or other Chromium browsers—update those too

Now, for those who want to understand why this matters, let's dive deep.

Understanding the Vulnerabilities

Google's February 3, 2026 security bulletin disclosed two high-severity vulnerabilities that affect all Chrome users across Windows, macOS, and Linux. Both flaws share a common thread: they can corrupt memory in ways that allow attackers to hijack your browser and potentially your entire system.

CVE-2026-1861: The libvpx Heap Buffer Overflow

Official Description: "Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."

Let's break that down into human language.

What is libvpx?

Libvpx is an open-source video codec library that handles VP8 and VP9 video compression—the formats that power a significant portion of web video, including YouTube. Every time Chrome plays a video, decodes a WebM file, or renders a WebP image, libvpx is doing the heavy lifting behind the scenes.

What is a heap buffer overflow?

Imagine you have a box that can hold exactly 10 items. A heap buffer overflow happens when you try to stuff 100 items into that box—the extra 90 items spill over into adjacent boxes, corrupting whatever was stored there. In computer terms:

• The "heap" is a region of memory where programs dynamically allocate space
• A "buffer" is a temporary storage area in that heap
• An "overflow" occurs when data exceeds the buffer's capacity

When this happens in a controlled way, attackers can overwrite critical memory structures, redirecting program execution to their malicious code.

The Attack Vector

The scary part? This vulnerability can be triggered simply by:

• Visiting a webpage with a malformed video embedded
• Loading a page with a malicious WebP thumbnail
• Having an auto-playing video ad render in your browser
• Receiving a malicious image preview in a web-based chat

You don't need to click anything. You don't need to download anything. The mere act of your browser parsing the malicious content is enough.

CVE-2026-1862: The V8 Type Confusion

Official Description: "Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."

What is V8?

V8 is Chrome's JavaScript engine—the component that executes all the JavaScript code running on websites. It's what makes modern web applications fast and responsive. V8 is so good at its job that it's also used outside browsers in Node.js and other platforms.

What is Type Confusion?

To make JavaScript fast, V8 uses Just-In-Time (JIT) compilation through an optimizer called TurboFan. Here's where it gets interesting:

When you run the same code repeatedly, TurboFan notices patterns and makes assumptions to optimize performance. If a variable has always been a number, TurboFan generates machine code that skips type checking—because why check if it's always a number, right?

Type confusion attacks exploit this optimization. An attacker crafts JavaScript that:

1. Trains the optimizer to expect certain types
2. Tricks V8 into generating optimized code with assumptions
3. Changes the actual types at runtime
4. Watches as V8 mishandles the data, thinking a pointer is a number or vice versa

Why is this dangerous?

When V8 gets confused about types, attackers gain powerful primitives:

• addrOf: Read raw memory addresses (bypassing security randomization)
• fakeObj: Create arbitrary objects in memory
• Arbitrary read/write: Full control over browser memory

From there, it's a short path to executing whatever code the attacker wants.

Credit Where Due

This vulnerability was discovered by security researcher Chaoyuan Peng (known as @ret2happy on Twitter), who reported it to Google on January 29, 2026. Finding V8 type confusion vulnerabilities requires extraordinary skill—these bugs often hide in edge cases of the optimization logic and demand deep understanding of both JavaScript semantics and compiler internals.

Technical Deep Dive: How These Attacks Work

For those who want to understand the mechanics, let's explore how these vulnerabilities could be weaponized.

The libvpx Attack Chain

Step 1: Crafting the Payload

The attacker creates a specially malformed video file. The file's header might claim a frame size of 64 pixels, but the actual compressed data contains instructions for thousands of pixels. Libvpx reads the header, allocates a small buffer, then starts decoding—writing far beyond the buffer's boundaries.

Step 2: Heap Feng Shui

Random memory corruption usually just crashes the browser. To achieve code execution, attackers use a technique called "Heap Feng Shui" (or Heap Grooming):

[Normal Object A] [Vulnerable Buffer] [Normal Object B]
                         ↓
[Normal Object A] [OVERFLOW DATA...] [Corrupted Object B]

By carefully controlling what objects sit adjacent to the vulnerable buffer, attackers ensure their overflow data overwrites something useful—like a function pointer.

Step 3: Code Execution

When the browser later tries to use the corrupted object (say, calling a method on it), it follows the attacker's overwritten pointer instead of the legitimate function address. The browser now executes attacker-controlled code.

The V8 Attack Chain

Step 1: Training the Optimizer

// Attacker's script runs this 10,000 times
function innocent(arr) {
    return arr[0];
}

let numbers = [1.1, 2.2, 3.3];
for (let i = 0; i < 10000; i++) {
    innocent(numbers);
}
// TurboFan thinks: "arr is always a float array, skip type checks!"

Step 2: The Type Switch

Through a carefully crafted vulnerability trigger, the attacker changes the array's internal type without deoptimizing the function:

triggerVulnerability(numbers);
// Array is now Object array internally, but JIT code still treats it as float

Step 3: Memory Leakage

let leakedPointer = innocent(numbers);
// JIT code reads an object pointer as if it were a float
// Attacker now has raw memory addresses

Step 4: Full Exploitation

With the ability to read arbitrary memory addresses and create fake objects, the attacker can:

• Locate WebAssembly pages (which are read-write-execute)
• Inject shellcode into those pages
• Execute any code they want

The Renderer Sandbox

"But wait," you might say, "doesn't Chrome have a sandbox?"

Yes, and it's a significant protection layer. Both vulnerabilities compromise the renderer process, which is sandboxed with limited system access. However:

1. The sandbox isn't perfect: Sandbox escape vulnerabilities exist and are actively sought by attackers
2. Data theft is possible: The renderer has access to the current page's data, cookies, and potentially saved passwords
3. Chaining is common: Attackers often combine renderer exploits with sandbox escapes for full system compromise
4. Some data doesn't need sandbox escape: Session tokens, form data, and cryptocurrency wallet keys can all be stolen from within the sandbox

Who Is Affected?

These vulnerabilities cast a wide net. Here's everyone who needs to pay attention:

Directly Affected

Google Chrome Users (All Platforms)

• Windows: Chrome < 144.0.7559.132
• macOS: Chrome < 144.0.7559.132
• Linux: Chrome < 144.0.7559.133
• Android: Chrome for Android < 144.0.7559.132
• ChromeOS: Affected until system update

Microsoft Edge Users
Edge is built on Chromium and shares the vulnerable code. Microsoft typically releases coordinated updates within days of Chrome patches. Check edge://settings/help for your version.

Other Chromium-Based Browsers

• Brave
• Opera
• Vivaldi
• Samsung Internet
• And dozens more

Electron Applications
This is the hidden danger many overlook. Electron wraps Chromium to build desktop apps. If you use any of these, you may be running vulnerable code:

• Slack
• Discord
• Visual Studio Code
• Microsoft Teams (desktop)
• Figma Desktop
• 1Password
• Signal Desktop
• Notion
• Obsidian
• And many more

These applications need their own updates—updating Chrome doesn't protect them.

Enterprise Impact

Organizations face compounded risk:

• Attack surface: Every employee browser is a potential entry point
• Lateral movement: Browser compromise can lead to credential theft and network access
• Data exfiltration: Access to cloud services, internal tools, and sensitive data
• Supply chain risk: Electron apps in the software stack may go unpatched longer

Real-World Attack Scenarios

Let's explore how these vulnerabilities might be weaponized in practice.

Scenario 1: The Watering Hole Attack

Target: Employees of a financial services company

Method:

1. Attackers compromise a financial news website's ad network
2. Malicious ads containing the libvpx exploit are served to visitors
3. When employees check morning market news, their browsers are compromised
4. Attackers harvest session cookies for internal banking systems
5. Wire transfers are initiated before anyone notices

Why it works: No suspicious emails, no phishing clicks—just reading the news at work.

Scenario 2: The Targeted Spear Attack

Target: A specific software developer with production access

Method:

1. Attackers create a fake job posting for an exciting startup
2. Developer clicks the "about us" page link in a LinkedIn message
3. The page contains the V8 type confusion exploit
4. Attackers steal SSH keys and cloud credentials from the developer's machine
5. Production servers are compromised

Why it works: The attack looks completely legitimate and requires no file downloads.

Scenario 3: The Cryptocurrency Heist

Target: Users of web-based cryptocurrency wallets

Method:

1. Attackers buy advertising on crypto-related forums
2. Ads contain the libvpx exploit via malicious WebP images
3. When victims' browsers parse the ad images, code execution occurs
4. JavaScript-based wallet extensions are attacked
5. Private keys are exfiltrated
6. Wallets are drained

Why it works: Crypto users are valuable targets, and the attack requires zero interaction.

Scenario 4: The Mass Exploitation Campaign

Target: Anyone with an unpatched browser

Method:

1. Attackers compromise a CDN or high-traffic website
2. They inject the V8 exploit into served JavaScript
3. Thousands of visitors are compromised hourly
4. Infected browsers become part of a botnet
5. Botnet is used for DDoS, cryptomining, or sold to other criminals

Why it works: The sheer scale of modern web traffic means even brief compromises affect massive numbers of users.

Historical Context: libvpx's Troubled Past

CVE-2026-1861 is not libvpx's first rodeo with heap buffer overflows. This vulnerability class has a troubling history in the library:

CVE-2023-5217 (September 2023)

A heap buffer overflow in VP8 encoding that was actively exploited in the wild before Google patched it. This zero-day was used in targeted attacks, demonstrating that libvpx vulnerabilities are not just theoretical—attackers actively seek and exploit them.

CVE-2023-44488 (September 2023)

A VP9 parsing vulnerability causing crashes. While "just" a denial of service, crash vulnerabilities in parsing code often indicate deeper memory safety issues.

The Pattern

LibVPx is written in C/C++, languages that require manual memory management. Despite extensive fuzzing and security reviews, these languages' lack of memory safety guarantees means new vulnerabilities continue to emerge. Each new CVE represents a failure mode that wasn't anticipated.

This historical pattern should inform your patching urgency: libvpx vulnerabilities have been exploited before, and they will be again.

How to Check If You're Vulnerable

Google Chrome

1. Open Chrome
2. Click the three-dot menu (⋮) in the top right
3. Navigate to Help → About Google Chrome
4. Check the version number

You're safe if: Version is 144.0.7559.132 or higher (Windows/Mac) or 144.0.7559.133 or higher (Linux)

You're vulnerable if: Any version below these numbers

Microsoft Edge

1. Open Edge
2. Click the three-dot menu (⋯)
3. Navigate to Help and feedback → About Microsoft Edge
4. Check the version number

Edge versions will differ from Chrome but should include the February 2026 security updates.

Checking Electron Apps

This is trickier. Most Electron apps don't clearly display their Chromium version. Options include:

• Check the app's release notes for security updates
• Look for the app in Help → About for version info
• Contact the app vendor to confirm they've updated their Electron version
• Use a tool like npm list electron if you have access to the app's package files

For System Administrators

Run this PowerShell command to check Chrome version across your fleet:

Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | 
    Where-Object DisplayName -like "*Chrome*" | 
    Select-Object DisplayName, DisplayVersion

Or use osquery:

SELECT name, version, path 
FROM processes 
WHERE name = 'chrome.exe' 
AND version < '144.0.7559.132';

Step-by-Step Update Guide

Updating Google Chrome (Desktop)

Automatic Update (Recommended)

1. Open Google Chrome
2. Click the three-dot menu (⋮) in the top-right corner
3. Select Settings
4. Click About Chrome in the left sidebar
5. Chrome will automatically check for updates
6. Wait for the download to complete
7. Click Relaunch to restart Chrome with the update applied

Important: Simply downloading the update isn't enough. Chrome must be relaunched to apply the patch. If you see a colored arrow icon in the top-right (green → yellow → red based on age), you have a pending update—click it and relaunch.

Manual Update (If Auto-Update Fails)

1. Visit https://www.google.com/chrome/
2. Download the latest installer
3. Close all Chrome windows
4. Run the installer
5. Reopen Chrome and verify the version

Updating Chrome on Android

1. Open the Google Play Store
2. Tap your profile icon
3. Tap Manage apps & device
4. Tap Updates available
5. Find Chrome and tap Update (or Update All)

Updating Microsoft Edge

1. Open Microsoft Edge
2. Click the three-dot menu (⋯)
3. Select Help and feedback → About Microsoft Edge
4. Edge will check for and install updates
5. Click Restart when prompted

Updating Other Chromium Browsers

Brave:
Menu → About Brave → Wait for update → Relaunch

Opera:
Menu → Update & Recovery → Check for Update

Vivaldi:
Menu → Help → Check for Updates

Enterprise Considerations

For IT administrators and security teams, browser vulnerabilities require systematic response.

Enforcement via Group Policy

Force Chrome Updates:

Policy: GoogleUpdate → Applications → Google Chrome → Update policy override
Value: Always allow updates (recommended)

Force Relaunches:

Policy: RelaunchNotification
Value: 2 (Recommended - notify and force relaunch)

Policy: RelaunchNotificationPeriod
Value: 43200000 (12 hours in milliseconds)

This gives users 12 hours to save their work, then forces a browser restart.

Mobile Device Management (MDM)

For managed ChromeOS devices and Android Enterprise:

• Use Google Admin Console to set update policies
• Configure automatic update time windows
• Monitor compliance through admin reports

Version Auditing

Create monitoring for vulnerable versions:

Tanium Query:

SELECT * FROM installed_applications 
WHERE name LIKE '%Chrome%' 
AND version < '144.0.7559.132'

Microsoft Defender for Endpoint:
Use Advanced Hunting to identify vulnerable endpoints:

DeviceTvmSoftwareInventory
| where SoftwareName contains "Chrome"
| where SoftwareVersion < "144.0.7559.132"
| summarize DeviceCount = count() by SoftwareVersion

Communication Template

Send this to your organization:

Subject: Critical Chrome Security Update Required - Action Needed Today

A critical security vulnerability has been discovered in Google Chrome that could allow attackers to compromise your computer by simply loading a malicious webpage.

Required Action:Close all Chrome tabs (save your work first!)Click the three-dot menu → Help → About Google ChromeLet Chrome update (if needed)Click RelaunchVerify your version is 144.0.7559.132 or higher

This also affects Microsoft Edge, Brave, and other browsers. Please update all browsers you use.

If you have questions, contact the IT Help Desk.

Detection and Response

For security operations teams, here's how to detect exploitation attempts.

Indicators of Compromise

Browser Crashes (Pre-Exploitation)
Failed exploitation attempts typically crash the browser. Monitor for:

• Event ID 1000 (Application Error) with chrome.exe
• Sudden spikes in "Aw, Snap!" errors across the organization
• Renderer process crashes without user-initiated actions

Suspicious Child Processes (Post-Exploitation)
Successful sandbox escape often involves spawning system processes:

• chrome.exe spawning cmd.exe or powershell.exe
• chrome.exe spawning wscript.exe or cscript.exe
• On Linux: chrome spawning /bin/sh or /bin/bash

Network Anomalies

• Unexpected outbound connections from chrome.exe to unknown IPs
• Data exfiltration patterns (large uploads)
• Command and control beaconing

SIEM Rules

Splunk:

index=windows sourcetype=WinEventLog:Security 
EventCode=4688 
ParentProcessName="*chrome.exe" 
(NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe")
| stats count by Computer, NewProcessName

Microsoft Sentinel:

DeviceProcessEvents
| where InitiatingProcessFileName == "chrome.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine

Incident Response Playbook

If you detect potential exploitation:

1. Contain: Isolate the affected endpoint from the network
2. Collect: Acquire browser memory dump and relevant logs
3. Analyze: Check for malicious artifacts, dropped files, or persistence mechanisms
4. Credential Reset: Assume all credentials accessed from the browser are compromised
5. Hunt: Search for similar activity across other endpoints
6. Remediate: Reimage if compromise confirmed; update all browsers regardless

Temporary Mitigations

If you absolutely cannot update immediately, these measures can reduce (but not eliminate) risk.

Disable JIT Compilation

Chrome can run with the V8 optimizer disabled, mitigating type confusion vulnerabilities:

Windows:
Create a shortcut with these parameters:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --js-flags="--no-opt"

macOS:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --js-flags="--no-opt"

Caveats:

• ~30% performance degradation
• Only mitigates CVE-2026-1862, not CVE-2026-1861
• Not a substitute for patching

Enable Strict Site Isolation

This is usually on by default, but verify:

1. Navigate to chrome://flags
2. Search for "Strict Origin Isolation"
3. Ensure it's Enabled
4. Relaunch

This prevents a compromised renderer from accessing data from other origins (e.g., your bank tab).

Browser Isolation for High-Value Users

For executives, IT admins, and other high-value targets, consider Remote Browser Isolation (RBI) solutions that execute browser code on remote servers. Products include:

• Zscaler Browser Isolation
• Cloudflare Browser Isolation
• Menlo Security

Network-Level Protections

• Block known malicious domains at the firewall
• Enable SSL inspection to detect malicious content
• Use threat intelligence feeds to identify emerging attacks

Frequently Asked Questions

Q: Is this being exploited in the wild?

A: At the time of disclosure (February 3, 2026), Google reported no evidence of active exploitation. However, now that the vulnerabilities are public, exploit development is likely underway. The window between patch release and active exploitation (the "N-day" window) is typically 24-48 hours for browser vulnerabilities.

Q: I use Safari, am I affected?

A: No. Safari uses WebKit (different from Chromium) and the Nitro JavaScript engine (different from V8). These specific vulnerabilities don't affect Safari. However, Safari has its own vulnerabilities—keep it updated too.

Q: I use Firefox, am I affected?

A: No. Firefox uses the Gecko engine and SpiderMonkey JavaScript engine. These are unrelated to the Chromium/V8 vulnerabilities. Still, keep Firefox updated for its own security fixes.

Q: Does my antivirus protect me?

A: Traditional antivirus provides limited protection against browser-based attacks. These exploits execute in memory without dropping files, bypassing signature-based detection. Modern EDR solutions with behavioral analysis offer better protection, but updating the browser is the only reliable fix.

Q: I updated Chrome but the version number hasn't changed?

A: Chrome needs to be relaunched after updating. Close all Chrome windows (check your system tray for hidden instances) and reopen Chrome, then check the version again.

Q: Can I be exploited just by opening Chrome?

A: No. The exploitation requires loading malicious content—a webpage, video, or image. Simply having Chrome open doesn't expose you. However, if you have tabs open from the previous session, those tabs may load content automatically.

Q: Are mobile browsers affected?

A: Yes. Chrome for Android uses the same V8 engine and libvpx library. Chrome for iOS uses Apple's WebKit (required by App Store policy), so it's not affected by these specific vulnerabilities.

Q: How did Google find these bugs?

A: CVE-2026-1861 was discovered internally using Google's extensive fuzzing infrastructure (tools like AddressSanitizer and libFuzzer that automatically generate malformed inputs to find crashes). CVE-2026-1862 was reported by external researcher Chaoyuan Peng through the Chrome Vulnerability Reward Program.

Q: What's the bounty for finding these bugs?

A: Google typically pays $10,000-$100,000+ for high-severity Chrome vulnerabilities, depending on quality and impact. Type confusion bugs in V8 that achieve code execution often command the higher end of this range.

Conclusion and Action Items

Browser vulnerabilities are among the most dangerous threats in today's security landscape. They require no user downloads, no email phishing clicks, and no special access—just the simple act of browsing the web.

CVE-2026-1861 and CVE-2026-1862 represent exactly the kind of vulnerabilities that keep security professionals awake at night: remotely exploitable, minimal interaction required, and affecting the most widely-used browser in the world.

Your Immediate Action Items

For Individual Users:

1. ✅ Update Chrome to version 144.0.7559.132 or higher NOW
2. ✅ Update Edge, Brave, and any other Chromium browsers
3. ✅ Check for updates to Electron apps (Slack, Discord, VS Code, etc.)
4. ✅ Enable automatic updates for all browsers

For IT Administrators:

1. ✅ Deploy GPO/MDM policies forcing browser updates
2. ✅ Set maximum 24-hour relaunch enforcement
3. ✅ Audit all endpoints for vulnerable versions
4. ✅ Communicate urgency to all users
5. ✅ Add detection rules for exploitation indicators

For Security Teams:

1. ✅ Implement SIEM rules for suspicious browser behavior
2. ✅ Update incident response playbooks for browser compromises
3. ✅ Consider browser isolation for high-value users
4. ✅ Monitor threat intelligence for emerging exploits

Looking Forward

The discovery of these vulnerabilities highlights several ongoing challenges:

Memory-unsafe languages: Both vulnerabilities stem from C/C++ code where manual memory management enables entire vulnerability classes that don't exist in memory-safe languages like Rust.

Optimization trade-offs: V8's aggressive JIT compilation makes JavaScript fast but creates complex attack surfaces. Every optimization is a potential bug.

Dependency risk: Chrome depends on many third-party libraries (like libvpx), each with its own security history and update cycle.

Google's security team does exceptional work, finding many vulnerabilities through fuzzing before attackers discover them. But the fundamental architecture of modern browsers—parsing untrusted content at high speed—will continue generating security challenges.

Your best defense remains simple: update early, update often, and treat browser security as critical infrastructure.

Stay safe out there.

References

1. Google Chrome Releases Blog - Stable Channel Update for Desktop (February 2026)
   https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html
2. NVD - CVE-2026-1861
   https://nvd.nist.gov/vuln/detail/CVE-2026-1861
3. Chromium Issue Tracker - CVE-2026-1861
   https://issues.chromium.org/issues/478942410
4. Chromium Issue Tracker - CVE-2026-1862
   https://issues.chromium.org/issues/479726070
5. Microsoft Security Update Guide - Chromium Vulnerabilities
   https://msrc.microsoft.com/update-guide/vulnerability
6. libvpx Project
   https://www.webmproject.org/code/

This article is part of hackernoob.tips' ongoing coverage of critical security vulnerabilities. For more security guides, vulnerability analyses, and protection strategies, subscribe to our newsletter.