Description
Heap buffer overflow in Codecs in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Published: 2026-02-11
Score: 8.8 High
EPSS: 4.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heap buffer overflow in several video and audio codecs within Google Chrome allows a crafted HTML page to overwrite heap memory, potentially enabling arbitrary code execution on the host. The overflow is triggered by malformed codec data; if exploited, it could give an attacker full control over the user's system, compromising confidentiality, integrity, and availability. This weakness is characterized as CWE‑122 (Heap-based Buffer Overflow) and CWE‑787 (Use After Free).

Affected Systems

Google Chrome users whose browser version is earlier than 145.0.7632.45 on any supported platform—Windows, macOS, or Linux—are affected. The issue arises in all installations that include the vulnerable code paths for codec processing, regardless of the operating system.

Risk and Exploitability

The CVSS base score is 8.8 and the EPSS score is 4%, indicating a high severity but a moderate current exploitation probability. The flaw is not listed in the CISA KEV catalog, suggesting no widely deployed exploits yet. Nevertheless, the attack vector is remote via a maliciously crafted HTML page viewed in the browser, so any user who visits an untrusted site or opens a malicious file could be at risk. Successful exploitation would require the victim to load the malicious content; no local privilege escalation is required.

Generated by OpenCVE AI on June 18, 2026 at 11:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 145.0.7632.45 or later, which addresses the CWE‑122 and CWE‑787 heap overflow vulnerabilities with bounds‑checking and deallocation fixes.
  • Enable automatic updates in Chrome settings to be notified of and install new security releases promptly.
  • Isolate browsing of untrusted websites by using Chrome's site isolation and sandbox features; consider disabling JavaScript or applying Content Security Policy to limit codec processing on suspicious pages, thereby reducing the impact of heap overflows.
  • If the patch cannot be applied immediately, run untrusted web content in a virtual machine or isolated container to contain any heap corruption from affecting the host system.

Generated by OpenCVE AI on June 18, 2026 at 11:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6135-1 chromium security update
History

Fri, 13 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-787
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 12 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Heap buffer overflow in Codecs
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in Codecs in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-122
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-02-26T14:44:24.440Z

Reserved: 2026-02-10T21:51:42.579Z

Link: CVE-2026-2314

cve-icon Vulnrichment

Updated: 2026-02-11T18:54:08.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T19:15:51.427

Modified: 2026-06-17T10:30:45.850

Link: CVE-2026-2314

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-10T00:00:00Z

Links: CVE-2026-2314 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:15:03Z

Weaknesses