{"id":10388,"date":"2026-02-04T10:03:55","date_gmt":"2026-02-04T10:03:55","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/04\/chrome-vulnerabilities-let-attackers-execute-arbitrary-code-and-crash-system\/"},"modified":"2026-02-04T10:03:55","modified_gmt":"2026-02-04T10:03:55","slug":"chrome-vulnerabilities-let-attackers-execute-arbitrary-code-and-crash-system","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/04\/chrome-vulnerabilities-let-attackers-execute-arbitrary-code-and-crash-system\/","title":{"rendered":"Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System"},"content":{"rendered":"<p>    Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Google has released a critical security update for the Chrome Stable channel, addressing two high-severity vulnerabilities that expose users to potential arbitrary code execution (ACE) and <a href=\"https:\/\/cybersecuritynews.com\/tag\/denial-of-service-dos-2\/\" type=\"post_tag\" id=\"2953\" target=\"_blank\" rel=\"noreferrer noopener\">denial-of-service<\/a> (DoS) attacks.<\/p>\n<p>The update pushes the browser version to 144.0.7559.132\/.133 for Windows and macOS, and 144.0.7559.132 for Linux.<\/p>\n<p>The technology giant confirmed that the rollout will occur over the coming days and weeks. These patches specifically target memory corruption issues within the browser\u2019s JavaScript engine and video processing libraries.<\/p>\n<p>The update resolves two specific security flaws, both classified as \u201cHigh\u201d severity. Successful exploitation of these vulnerabilities typically requires a user to visit a specially crafted website, which can trigger the exploit within the browser\u2019s renderer process.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-cve-2026-1862-type-confusion-in-v8\"><strong>CVE-2026-1862: Type Confusion in V8<\/strong><\/h2>\n<p>The most significant flaw is located in V8, Google\u2019s open-source high-performance JavaScript and WebAssembly engine. Type Confusion vulnerabilities occur when the engine is tricked into accessing a memory resource using an incompatible type for example, treating an integer as a pointer.<\/p>\n<p>Attackers frequently leverage V8 type confusion bugs to manipulate memory pointers. This manipulation allows them to read or write memory out of bounds, potentially leading to arbitrary code execution within the sandboxed environment. This vulnerability was reported by researcher Chaoyuan Peng (@ret2happy).<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-cve-2026-1861-heap-buffer-overflow-in-libvpx\"><strong>CVE-2026-1861: Heap Buffer Overflow in libvpx<\/strong><\/h2>\n<p>The second vulnerability resides in <code>libvpx<\/code>, the reference software library for the VP8 and VP9 video coding formats. A heap buffer overflow occurs when a process attempts to write more data to a fixed-length memory buffer than it can hold.<\/p>\n<p>In this context, an attacker could embed a malformed video stream on a webpage. When Chrome attempts to process this video using <code>libvpx<\/code>, the overflow could corrupt adjacent memory on the heap. This usually results in a browser crash (DoS) but can also be chained with other exploits to achieve code execution.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">CVE ID<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Severity<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Component<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Reported By<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE-2026-1862<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Type Confusion<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">V8 Engine<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Chaoyuan Peng<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE-2026-1861<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Heap Buffer Overflow<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">libvpx<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Google Internal<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-mitigations\"><strong>Mitigations<\/strong><\/h2>\n<p>Google has not <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/02\/stable-channel-update-for-desktop.html\" type=\"link\" id=\"https:\/\/chromereleases.googleblog.com\/2026\/02\/stable-channel-update-for-desktop.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">disclosed<\/a> whether these exploits are currently being used in the wild (zero-day status), keeping bug details restricted until a majority of the user base has updated. However, given the nature of V8 and heap overflow vulnerabilities, the risk of weaponization remains high.<\/p>\n<p>Enterprise administrators and users are advised to update immediately. To verify the installation:<\/p>\n<ol class=\"wp-block-list\">\n<li>Open Chrome and navigate to Menu &gt; Help &gt; About Google Chrome.<\/li>\n<li>Ensure the browser checks for updates and restarts to apply version 144.0.7559.132 or later.<\/li>\n<li>\n<\/ol>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/chrome-vulnerabilities-arbitrary-code-2\/\">Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/chrome-vulnerabilities-arbitrary-code-2\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System Google has released a critical security update for the Chrome Stable channel, addressing two high-severity vulnerabilities that expose users to potential arbitrary code execution (ACE) and denial-of-service (DoS) attacks. The update pushes the browser version to 144.0.7559.132\/.133 for Windows and macOS, and 144.0.7559.132 for Linux. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-10388","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10388"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10388"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10388\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}