Description
Race in DevTools in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures and install a malicious extension to potentially exploit object corruption via a malicious file. (Chromium security severity: Medium)
Published: 2026-02-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Object corruption that could lead to remote exploitation
Action: Patch Chrome
AI Analysis

Impact

A race condition was discovered in Chrome’s DevTools component that can corrupt internal objects when a user performs specific UI gestures and installs a malicious extension. The corrupted objects could then be leveraged by an attacker to trigger unintended behavior, potentially resulting in remote code execution or data compromise. The vulnerability is categorized as Medium severity by Chromium’s internal assessment.

Affected Systems

The flaw exists in all Google Chrome releases earlier than 145.0.7632.45, regardless of operating system. Users running Chrome on Windows, macOS, or Linux are therefore affected as indicated by the provided CPE entries.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. An EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path requires a remote actor to influence a user into engaging in particular UI interactions and installing a malicious extension, which then triggers the race condition. While the exploitation route is indirect and user-dependent, the potential impact warrants attention.

Generated by OpenCVE AI on April 17, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that releases Chrome version 145.0.7632.45 or later.
  • If immediate patching is not possible, configure policy settings to disable or restrict access to DevTools for all users.
  • Remove or block any suspicious or unverified extensions and review the list of installed extensions for potential threats.
  • Provide user awareness training to avoid following unsolicited UI gestures or installing unknown extensions until the official update is applied.

Generated by OpenCVE AI on April 17, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6135-1 chromium security update
History

Fri, 13 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Thu, 12 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Race in DevTools
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Race in DevTools in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures and install a malicious extension to potentially exploit object corruption via a malicious file. (Chromium security severity: Medium)
Weaknesses CWE-362
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-02-26T14:44:23.815Z

Reserved: 2026-02-10T21:51:45.389Z

Link: CVE-2026-2319

cve-icon Vulnrichment

Updated: 2026-02-11T19:01:59.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T19:15:52.027

Modified: 2026-02-13T17:29:10.443

Link: CVE-2026-2319

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-10T00:00:00Z

Links: CVE-2026-2319 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses