{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1861", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-02-03T20:25:08.273Z", "datePublished": "2026-02-03T20:56:47.624Z", "dateUpdated": "2026-02-26T15:04:22.981Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "144.0.7559.132", "status": "affected", "lessThan": "144.0.7559.132", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-03T20:56:47.624Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/478942410"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T04:56:09.515853Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:22.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T04:56:09.515853Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T21:19:02.364Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "144.0.7559.132", "lessThan": "144.0.7559.132", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html"}, {"url": "https://issues.chromium.org/issues/478942410"}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "Heap buffer overflow"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-03T20:56:47.624Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1861", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:22.981Z", "dateReserved": "2026-02-03T20:25:08.273Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-02-03T20:56:47.624Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "79AA1F6A-5CFF-4F19-AF14-2D79D8327564", "versionEndExcluding": "144.0.7559.132", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)"}], "id": "CVE-2026-1861", "lastModified": "2026-02-11T18:32:11.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T21:16:12.807", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Vendor Advisory", "Release Notes"], "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Permissions Required"], "url": "https://issues.chromium.org/issues/478942410"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:03:20.420589+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 144.0.7559.132 or later", "Enable automatic updates to ensure the browser receives future security patches", "Avoid visiting untrusted websites or opening unknown HTML attachments to reduce exposure to crafted content"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Heap Buffer Overflow"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of Google Chrome prior to version 144.0.7559.132 across supported operating systems, including Windows, macOS, and Linux. Any user who visits a malicious web page or opens a crafted HTML attachment while running an affected Chrome build is at risk.", "description_and_impact": "Google Chrome contains a heap buffer overflow in the libvpx video decoding library that can be triggered by a specially crafted HTML page. The overflow can corrupt heap data, which an attacker may leverage to execute arbitrary code, potentially compromising confidentiality, integrity, and availability of the affected system. The CVSS base score of 8.8 reflects the high severity of this vulnerability.", "risk_and_exploitability": "The stored EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is a remote attacker delivering a malicious HTML page to a user via a compromised or deceptive website, exploiting the overflow while the browser parses the page. This would allow execution of injected code in the context of the user\u2019s browser, with potential for persistence and lateral movement if the user is running privileged processes."}}}}, "created": "2026-02-04T12:05:14.569933+00:00", "title": "Heap Buffer Overflow in libvpx Allows Remote Exploitation via Crafted HTML", "updated": "2026-04-18T00:15:31.771260+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}