Google has released Chrome 145 to the stable channel for Windows, Mac, and Linux, addressing 11 security vulnerabilities that could allow attackers to execute malicious code on user systems.
This update includes high-severity flaws, medium and low-severity issues, and is crucial for all users to install promptly. The most critical vulnerability, CVE-2026-2313, is a use-after-free bug in CSS, discovered by researchers from HexHive and the University of St. Andrews, and awarded an $8,000 bug bounty.
In this article, we’ll cover:
- The critical, high, medium, and low-severity vulnerabilities patched
- Exploit impact and attack scenarios
- Recommended steps to ensure Chrome security
High-Severity Vulnerabilities
Chrome 145 addresses three high-severity vulnerabilities, all of which could allow arbitrary code execution:
| CVE ID | Component | Vulnerability Type | Bounty |
|---|---|---|---|
| CVE-2026-2313 | CSS | Use-after-free | $8,000 |
| CVE-2026-2314 | Codecs | Heap buffer overflow | N/A |
| CVE-2026-2315 | WebGPU | Inappropriate implementation | N/A |
Key details:
- CVE-2026-2313 (CSS use-after-free): Exploitable by crafting malicious CSS content. Allows attackers to run arbitrary code on the user’s system.
- CVE-2026-2314 (Heap buffer overflow in Codecs): Can be triggered via malicious media files, enabling memory corruption and code execution.
- CVE-2026-2315 (WebGPU inappropriate implementation): Attackers could exploit flaws in GPU handling to bypass security mechanisms.
Medium-Severity Vulnerabilities
Seven medium-severity flaws were also patched:
- CVE-2026-2316: Insufficient policy enforcement in Frames
- CVE-2026-2317: Inappropriate implementation in Animation
- CVE-2026-2318: Inappropriate implementation in PictureInPicture
- CVE-2026-2319: Race condition in DevTools
- CVE-2026-2320: Inappropriate implementation in File input
- CVE-2026-2321: Use-after-free in Ozone
These vulnerabilities could allow attackers to bypass security restrictions, manipulate browser behavior, or cause unexpected crashes.
Low-Severity Vulnerabilities
Two low-severity issues were fixed:
- CVE-2026-2322: Inappropriate implementation in File input
- CVE-2026-2323: Inappropriate implementation in Downloads
These issues are less likely to be exploited but still contribute to overall browser security.
Bug Bounties and Responsible Disclosure
Google awarded over $18,500 to researchers who responsibly disclosed the vulnerabilities. The highest bounties went to academic researchers and independent security experts who identified the most critical issues before they could be exploited in the wild.
Recommended Actions for Users
- Update Chrome immediately to version:
- Linux: 145.0.7632.45
- Windows/Mac: 145.0.7632.45/46
- Chrome typically updates automatically, but users can check manually under Settings → About Chrome
- Enable automatic updates to ensure all security patches are applied promptly
Google’s Proactive Security Measures
Google continues to leverage advanced security tools during development:
- AddressSanitizer and MemorySanitizer for memory error detection
- libFuzzer for fuzz testing of browser components
- Continuous internal vulnerability research to prevent security flaws from reaching end users
Conclusion
The Chrome 145 update is a critical patch addressing code execution vulnerabilities that could be exploited by attackers through CSS, Codecs, and WebGPU flaws. Users should update immediately to maintain security.
Regular updates, responsible plugin and extension management, and safe browsing habits are essential to protect against evolving web threats.
