High

Heap Buffer Overflow in Google Chrome Media

IdentifiersCVE-2026-2650CWE-122· Heap-based Buffer Overflow

CVE-2026-2650 is a heap buffer overflow in the Media component of Google Chrome affecting versions prior to 145.0.7632.109. According to the provided advisory content, a remote attacker can trigger heap corruption by causing a victim to process a crafted HTML page. The available information identifies the bug class and affected component, but does not provide function-level or root-cause implementation details. Chromium rated the issue as Medium severity.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may allow a remote attacker to corrupt heap memory in the browser process via crafted web content. Based on the supplied advisories, this could result in a browser crash or denial of service, and depending on exploitability constraints, may enable further impact such as arbitrary code execution or information disclosure. Debian’s advisory for the bundled Chromium fixes notes that the set of addressed issues could lead to arbitrary code execution, denial of service, or information disclosure.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is prompt patching. Until updates are deployed, reduce exposure to untrusted web content by restricting access to untrusted sites, using enterprise browser controls where feasible, and relying on Chrome’s existing sandboxing and site-isolation protections. No specific vendor workaround beyond updating was provided.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome to version 145.0.7632.109 or later. For Debian chromium, apply the vendor-provided fixed packages: 145.0.7632.109-1~deb12u3 for oldstable (bookworm) or 145.0.7632.109-1~deb13u3 for stable (trixie), as applicable.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

cyber security newsNews

Feb 20, 2026

Google Issues Emergency Chrome Security Update to Address High-Severity PDFium and V8 Flaws

Medium-severity heap buffer overflow in Chrome’s Media component; technical details are restricted per Google disclosure policy.

cvefeed high severityNews

Feb 18, 2026

CVE-2026-2650 - Google Chrome Heap Buffer Overflow

A heap buffer overflow (CWE-122) in the Media component of Google Chrome that could allow remote attackers to trigger heap corruption via a crafted HTML page.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-2650

NVD

nvd.nist.gov/vuln/detail/CVE-2026-2650

MITRE CWE · CWE-122

Heap-based Buffer Overflow

Release Notes

chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html

Issue Tracking

issues.chromium.org/issues/476461867