Executive Summary

The latest release of Google Chrome 145 (versions 145.0.7632.45/46) addresses a total of 11 security vulnerabilities, including three classified as high-severity. These vulnerabilities, if left unpatched, could enable remote code execution, privilege escalation, or significant information disclosure. Notably, two of the high-severity issues were discovered internally by Google, underscoring the vendor’s commitment to proactive security research. As of this advisory, there is no evidence of exploitation in the wild or the existence of public proof-of-concept exploits. However, the criticality of browser vulnerabilities and the historical interest of advanced persistent threat (APT) groups in such attack vectors make rapid patching and vigilant monitoring essential for all organizations.

Technical Information

The 11 vulnerabilities patched in Chrome 145 span a range of browser components, with the most critical issues affecting the CSS, Codecs, and WebGPU subsystems. The high-severity vulnerabilities are as follows: CVE-2026-2313 is a use-after-free in CSS that could allow remote attackers to execute arbitrary code or cause a denial of service via crafted web content. This vulnerability was reported by researchers from HexHive and the University of St. Andrews, and is mapped to MITRE ATT&CK technique T1203 (Exploitation for Client Execution). CVE-2026-2314 is a heap buffer overflow in Codecs, discovered by Google, which could also result in arbitrary code execution or browser crashes. CVE-2026-2315 involves an inappropriate implementation in WebGPU, potentially allowing attackers to bypass security restrictions or trigger undefined behavior.

Medium-severity vulnerabilities include CVE-2026-2316 (insufficient policy enforcement in Frames), CVE-2026-2317 (inappropriate implementation in Animation), CVE-2026-2318 (inappropriate implementation in PictureInPicture), CVE-2026-2319 (race condition in DevTools), CVE-2026-2320 (inappropriate implementation in File input), and CVE-2026-2321 (use-after-free in Ozone). These issues could be leveraged in chained attacks, potentially facilitating sandbox escapes or policy bypasses.

Low-severity vulnerabilities, CVE-2026-2322 (inappropriate implementation in File input) and CVE-2026-2323 (inappropriate implementation in Downloads), present a lower risk but still warrant prompt remediation to maintain a robust security posture.

The technical root causes of these vulnerabilities include memory safety errors (use-after-free, heap buffer overflow), race conditions, and insufficient policy enforcement. Such flaws are highly attractive to attackers, as they can be exploited via malicious web content, often requiring only that a user visit a compromised or malicious website. The exploitation of use-after-free and heap buffer overflow vulnerabilities is a well-established technique for achieving remote code execution and privilege escalation in browser environments.

All high-severity vulnerabilities in this release are mapped to MITRE ATT&CK technique T1203, which covers exploitation for client execution. This mapping is significant, as it highlights the potential for these vulnerabilities to be used as initial access vectors in sophisticated attack chains. Additionally, if exploitation leads to script execution within the browser context, MITRE ATT&CK technique T1059 (Command and Scripting Interpreter) may also be relevant.

Exploitation in the Wild

As of the publication of this advisory, there is no evidence of exploitation in the wild for any of the 11 vulnerabilities patched in Chrome 145. This assessment is based on open-source threat intelligence from OffSeq Threat Radar, SecurityWeek, and monitoring of major exploit repositories such as ExploitDB and GitHub. All vulnerabilities were responsibly disclosed to Google and patched prior to public release, and no public proof-of-concept exploits have been observed on major exploit forums.

Despite the absence of active exploitation, the critical nature of several of these vulnerabilities—particularly those enabling remote code execution—means that the window for attackers to develop and deploy exploits is open. Historically, browser vulnerabilities have been rapidly weaponized following public disclosure, especially when they affect widely deployed products such as Google Chrome. Organizations should therefore treat this update as urgent and ensure that all endpoints are updated without delay.

APT Groups using this vulnerability

No specific APT group activity has been reported exploiting these vulnerabilities as of this advisory. However, it is important to note that APT groups such as APT28, APT29, and OceanLotus have a documented history of targeting browser vulnerabilities for initial access, as cataloged in the MITRE ATT&CK knowledge base. These groups have previously leveraged similar memory corruption and policy enforcement flaws in browsers to compromise high-value targets in government, financial, and critical infrastructure sectors. While there is no direct evidence linking these groups to the vulnerabilities patched in Chrome 145, organizations in at-risk sectors should remain vigilant and prioritize patching.

Affected Product Versions

The vulnerabilities addressed in this advisory affect the following product versions: Google Chrome 145.0.7632.45 for Linux, Google Chrome 145.0.7632.45 for Windows and Mac, and Google Chrome 145.0.7632.46 for Windows and Mac. All previous versions of Google Chrome are considered vulnerable to one or more of the issues described. The update is available via the standard Chrome update channels, and organizations are strongly advised to verify that all endpoints are running the latest version.

Workaround and Mitigation

The primary mitigation for these vulnerabilities is to update all instances of Google Chrome to version 145.0.7632.45/46 or later. Google Chrome’s automated update mechanism should be enabled to ensure timely deployment of security patches. In addition to patching, organizations should implement layered defenses to reduce the risk of exploitation. This includes updating endpoint protection solutions to recognize exploit techniques targeting browsers, tuning web filtering and intrusion detection systems to detect anomalous browser behavior, and isolating high-risk browsing activities in sandboxed environments or virtual machines.

User awareness is also critical; users should be trained to apply updates promptly and to recognize phishing attempts that could deliver exploit payloads. Regular security audits and vulnerability assessments should be conducted to identify unpatched systems, and threat intelligence feeds should be monitored for emerging exploit information. While no public indicators of compromise (IOCs) have been published for these vulnerabilities, organizations should remain alert for suspicious activity that could indicate attempted exploitation.

References

Chrome Releases: Stable Channel Update for Desktop (Feb 10, 2026), SecurityWeek: Chrome 145 Patches 11 Vulnerabilities, OffSeq Threat Radar: Chrome 145 Patches 11 Vulnerabilities, Reddit: Chrome 145 Fixes 11 Vulnerabilities, MITRE ATT&CK T1203

Rescana is here for you

Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated risk assessment, and actionable intelligence. Our team of cybersecurity experts is dedicated to helping you stay ahead of emerging threats and regulatory requirements. For any questions about this advisory or to discuss how we can support your security program, please contact us at ops@rescana.com.