CVE-2026-2650
Published: 18 February 2026
Summary
CVE-2026-2650 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-2650 by requiring timely remediation of the known heap buffer overflow flaw through updating Google Chrome to version 145.0.7632.109 or later.
Implements memory protection safeguards such as ASLR and DEP to prevent unauthorized code execution from heap buffer overflows exploited via crafted HTML media content.
Provides process isolation for the Chrome Media component, containing heap corruption and preventing system-wide exploitation by remote attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow RCE in client browser (Chrome Media) via crafted HTML directly enables drive-by compromise (T1189) and exploitation for client execution (T1203).
NVD Description
Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2026-2650 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the Media component in Google Chrome prior to version 145.0.7632.109. Published on 2026-02-18, it allows a remote attacker to potentially exploit heap corruption by processing a crafted HTML page. Chromium security rates it as Medium severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker without privileges can exploit this vulnerability by luring a user to interact with a malicious site hosting a crafted HTML page. User interaction, such as visiting the page, is required to trigger the issue. Successful exploitation could lead to heap corruption, enabling high-impact consequences on confidentiality, integrity, and availability, such as arbitrary code execution.
Advisories reference the Chrome Releases stable channel update for desktop at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html and the Chromium issue tracker at https://issues.chromium.org/issues/476461867. Mitigation requires updating to Google Chrome 145.0.7632.109 or later.
Details
- CWE(s)