{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2650", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "state": "PUBLISHED", "assignerShortName": "Chrome", "dateReserved": "2026-02-18T00:23:54.800Z", "datePublished": "2026-02-18T21:39:04.464Z", "dateUpdated": "2026-02-26T14:44:15.157Z"}, "containers": {"cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"version": "145.0.7632.109", "status": "affected", "lessThan": "145.0.7632.109", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Heap buffer overflow", "cweId": "CWE-122"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-18T21:39:04.464Z"}, "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/476461867"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2650", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T04:55:53.565978Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:15.157Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2650", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T04:55:53.565978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T22:07:31.635Z"}}], "cna": {"affected": [{"vendor": "Google", "product": "Chrome", "versions": [{"status": "affected", "version": "145.0.7632.109", "lessThan": "145.0.7632.109", "versionType": "custom"}]}], "references": [{"url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html"}, {"url": "https://issues.chromium.org/issues/476461867"}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "Heap buffer overflow"}]}], "providerMetadata": {"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "shortName": "Chrome", "dateUpdated": "2026-02-18T21:39:04.464Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2650", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:15.157Z", "dateReserved": "2026-02-18T00:23:54.800Z", "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28", "datePublished": "2026-02-18T21:39:04.464Z", "assignerShortName": "Chrome"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C277072-720B-4A77-AC3F-CD3348E19407", "versionEndExcluding": "145.0.7632.109", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)"}, {"lang": "es", "value": "Desbordamiento del b\u00fafer de la pila en Media en Google Chrome anterior a la versi\u00f3n 145.0.7632.109 permite, potencialmente, a un atacante remoto explotar la corrupci\u00f3n de la pila mediante una p\u00e1gina HTML manipulada. (Gravedad de seguridad de Chromium: Media)"}], "id": "CVE-2026-2650", "lastModified": "2026-02-19T18:35:11.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-18T22:16:26.980", "references": [{"source": "chrome-cve-admin@google.com", "tags": ["Release Notes"], "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html"}, {"source": "chrome-cve-admin@google.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://issues.chromium.org/issues/476461867"}], "sourceIdentifier": "chrome-cve-admin@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "chrome-cve-admin@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "chromium-browser: Heap buffer overflow in Media", "id": "2440808", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440808"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-2650", "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2650\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2650\nhttps://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html\nhttps://issues.chromium.org/issues/476461867"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[145.0.7632.109,145.0.7632.109)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Chrome", "source": "cna", "vendor": "Google"}, "product": "chrome", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-17T18:25:35.934877+00:00", "value": {"mitigation_remediation": ["Upgrade Google Chrome to version 145.0.7632.109 or newer.", "Ensure that automatic updates are enabled so the browser receives future security patches promptly.", "Avoid navigating to or executing content from untrusted websites, and consider using web\u2011filtering tools that block known malicious domains."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all users running Google Chrome versions prior to 145.0.7632.109 on desktop platforms. The affected vendor\u2011product is Google Chrome, as listed in the CNA data.", "description_and_impact": "A heap buffer overflow occurs in the Media component of Google Chrome, allowing a crafted HTML page to corrupt heap memory. This flaw, classified as CWE\u2011122, can potentially lead to arbitrary code execution when a user renders the malicious page, posing a severe threat to confidentiality, integrity, and availability of the client system.", "risk_and_exploitability": "The CVSS base score is 8.8, indicating a high severity. The EPSS probability is under 1\u202f%, and it is not currently listed in the CISA KEV catalog, which suggests exploitation is rare but still plausible. The attack vector requires a user to open a malicious HTML page, so the risk is primarily to users browsing compromised content and is mitigated by applying the security update."}}}}, "created": "2026-02-19T10:10:54.974551+00:00", "updated": "2026-04-17T18:30:05.656786+00:00", "vendors": ["google", "google$PRODUCT$chrome"]}