CVE-2026-2649 is a high severity integer overflow vulnerability in the V8 JavaScript engine used by Google Chrome. The issue affects Chrome versions earlier than 145.0.7632.109. If a user opens a specially crafted HTML page, the flaw can lead to heap corruption inside the browser.
Because V8 handles JavaScript execution, weaknesses in this component can have wide impact across normal browsing and sandboxed processes.
If this vulnerability is not patched, an attacker could potentially use it as part of a chain to achieve remote arbitrary code execution, which can serve as an initial access vector into your environment.
• Vulnerability type: Integer overflow
• Component: V8 JavaScript engine
• Impact: Possible heap corruption
• Attack vector: Remote, triggered by a malicious HTML page
• Severity: High 8.8 CVSS 3.0
• CWE: CWE-472 (External Control of Assumed Immutable Web Parameter)
An attacker can manipulate memory structures by triggering the overflow. Depending on the environment and mitigations, this may open a path to further exploitation.
• Google Chrome versions earlier than 145.0.7632.109
All platforms running these versions are considered vulnerable.
There are currently no public reports indicating that CVE-2026-2649 has been exploited in the wild.
It remains a remotely triggerable browser vulnerability, so patching should still be treated as a priority.
Mitigation and Remediation
Update Chrome: Install Chrome version 145.0.7632.109 or later. This update contains the official fix.
Until fully updated:
• Avoid opening untrusted HTML files
• Limit browsing to trusted sites
Enterprise Recommendations
• Enforce automatic Chrome updates
• Use endpoint protection that can detect browser memory corruption attempts
• Monitor for unusual browser crashes that may indicate exploitation attempts
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.