On February 3, 2026, Google released a new Stable Channel update for Chrome (version 144.0.7559.132/.133), fixing two serious security holes that could allow hackers to execute arbitrary code or cause systems to crash This article explores flaws v8 libvpx. . The Linux, macOS, and Windows platforms are gradually receiving the update.

Both vulnerabilities were discovered in intricate Chromium components libvpx and V8, which are essential to Chrome's JavaScript engine and video processing, respectively, according to Google's official security advisory. Because these modules are deeply integrated with user-supplied web content, they have been frequently exploited in past browser-based attacks. Important flaws in V8 and libvpx The libvpx library's heap buffer overflow is the first bug, CVE-2026-1861.

VP8 and VP9 video compression, which are widely used in browsers and multimedia platforms, is handled by this open-source codec library. Heap overflows happen when an application writes more data to memory than is allowed. If an attacker manages to exploit this through a well-crafted video file or webpage, it can lead to memory corruption, browser crashes, or even remote code execution.

A type confusion in Chrome's V8 JavaScript engine, which interprets and runs JavaScript code, is the cause of the second vulnerability, CVE-2026-1862. When a program incorrectly handles an object as a different type, it creates a type confusion vulnerability that enables attackers to manipulate memory and get around common safety precautions. They may be able to steal information, carry out illegal commands, or make an application unstable as a result.

Despite the fact that Google found no proof of active exploitation in the wild, both problems were classified as high severity. To stop threat actors from abusing them, full technical details and proof-of-concept exploits are still restricted until the majority of users update. Type of CVE ID Severity Component Reported by Reporting Date CVE 2026 1861 Elevated libvpx Overflow of heap buffers Google CVE-2026-1862 High V8 (JavaScript engine) Jan. 26, 2026 Confusion of types Peng Chaoyuan (@ret2happy) January 29, 2026 Google claimed that its sophisticated fuzzing tools, such as libFuzzer and AddressSanitizer, were responsible for spotting these problems before they were widely exploited.

In order to find memory and logic errors early in the development cycle, these technologies continuously test Chrome's components using random data inputs. Users are advised to update their browsers right away in order to stay safe.

To install the patch, go to Settings → About Google Chrome. This will start the update process and restart the browser when it is finished. Additionally, enterprise administrators should make sure that similar fixes are applied to managed systems that use Chromium-based browsers, like Microsoft Edge, in their upcoming release cycle.

Organizations should keep an eye on telemetry for crashes or questionable script behaviors from older Chrome versions, as these could be signs of exploitation attempts, according to security analysts. Keeping your browser up to date is still one of the simplest yet most effective ways to prevent client-side compromise, especially in light of the growing sophistication of drive-by download and watering-hole attacks.