Cyber Resilience

CVE-2026-2650

High

Published: 18 February 2026

Published
18 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2650 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-2650 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the Media component in Google Chrome prior to version 145.0.7632.109. Published on 2026-02-18, it allows a remote attacker to potentially exploit heap corruption by processing a crafted HTML page. Chromium security rates it as Medium severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a malicious site hosting a crafted HTML page. User interaction, such as visiting the page, is required to trigger the issue. Successful exploitation could lead to heap corruption, enabling high-impact consequences on confidentiality, integrity, and availability, such as arbitrary code execution.

Advisories reference the Chrome Releases stable channel update for desktop at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html and the Chromium issue tracker at https://issues.chromium.org/issues/476461867. Mitigation requires updating to Google Chrome 145.0.7632.109 or later.

EU & UK References

Vulnerability details

Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap overflow RCE in client browser (Chrome Media) via crafted HTML directly enables drive-by compromise (T1189) and exploitation for client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0999Same product: Google Chrome
CVE-2025-0434Same product: Google Chrome
CVE-2025-0611Same product: Google Chrome
CVE-2025-1426Same product: Google Chrome
CVE-2026-2648Same product: Google Chrome
CVE-2026-6361Same product: Google Chrome
CVE-2025-1914Same product: Google Chrome
CVE-2026-6363Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2025-0437Same product: Google Chrome

Affected Assets

google
chrome
≤ 145.0.7632.109

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-2650 by requiring timely remediation of the known heap buffer overflow flaw through updating Google Chrome to version 145.0.7632.109 or later.

prevent

Implements memory protection safeguards such as ASLR and DEP to prevent unauthorized code execution from heap buffer overflows exploited via crafted HTML media content.

prevent

Provides process isolation for the Chrome Media component, containing heap corruption and preventing system-wide exploitation by remote attackers.

References