CVE-2026-5272

Google · Chrome

A heap buffer overflow vulnerability in the GPU process of Google Chrome prior to version 146 could lead to arbitrary code execution.

Executive summary

Google Chrome versions prior to 146 contain a heap buffer overflow in the GPU process that could allow an attacker to execute arbitrary code on the host system.

Vulnerability

This is a heap buffer overflow vulnerability occurring within the GPU process of the Chrome browser. By crafting a malicious web page, an attacker may trigger this memory corruption, potentially leading to a crash or the execution of arbitrary code in the context of the browser process.

Business impact

The ability to execute arbitrary code via a web browser presents a critical risk to endpoint security. An attacker could bypass sandbox protections to install malware, exfiltrate sensitive data, or gain a foothold on the local machine. With a CVSS score of 8.8, this vulnerability warrants immediate patching.

Remediation

Immediate Action: Update all instances of Google Chrome to version 146 or the latest available stable release. Ensure automatic updates are enabled for all managed workstations.

Proactive Monitoring: Monitor endpoint security logs for unusual process spawning or crashes related to the Chrome browser. Utilize EDR tools to detect suspicious child processes initiated by the browser.

Compensating Controls: Enforce strict browser security policies and ensure that user accounts operate with the principle of least privilege to minimize the impact of a potential compromise.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Browser-based memory corruption vulnerabilities are high-value targets for threat actors. Given the widespread use of Chrome, organizations must expedite the deployment of the latest updates to all endpoints to mitigate the risk of remote code execution.