Cyber Resilience

CVE-2026-1862

High

Published: 03 February 2026

Published
03 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0058 43.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1862 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-1862 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 144.0.7559.132. Published on 2026-02-03, it enables potential heap corruption when processing a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.

A remote attacker without privileges can exploit this vulnerability by tricking a user into visiting a malicious website with the crafted HTML page, requiring user interaction such as clicking a link. Successful exploitation could lead to high confidentiality, integrity, and availability impacts, potentially allowing heap corruption and arbitrary code execution in the context of the browser.

Google addressed the vulnerability in Chrome stable channel update 144.0.7559.132, as detailed in the Chrome Releases blog (https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html), Chromium issue tracker (https://issues.chromium.org/issues/479726070), and Microsoft's Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-1862). Users should apply the patch promptly to mitigate risk.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Type confusion in V8 enables RCE via malicious webpage (drive-by) and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13226Same product: Apple Macos
CVE-2025-10585Same product: Apple Macos
CVE-2025-13230Same product: Apple Macos
CVE-2025-13229Same product: Apple Macos
CVE-2026-7988Same product: Apple Macos
CVE-2026-7927Same product: Apple Macos
CVE-2026-4457Same product: Apple Macos
CVE-2025-13224Same product: Apple Macos
CVE-2025-13228Same product: Apple Macos
CVE-2025-13630Same product: Apple Macos

Affected Assets

google
chrome
≤ 144.0.7559.132

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and patching of software flaws like the V8 type confusion vulnerability in Chrome prior to version 144.0.7559.132.

prevent

Implements memory protection mechanisms such as ASLR and DEP that mitigate heap corruption exploitation resulting from the type confusion vulnerability.

detect

Enables ongoing vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2026-1862.

References