Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Out-of-bounds read in Google Chrome Media

IdentifiersCVE-2026-3061CWE-125· Out-of-bounds Read

CVE-2026-3061 is a High-severity out-of-bounds read vulnerability in the Media component of Google Chrome prior to version 145.0.7632.116. According to the provided content, a remote attacker can trigger the flaw via a crafted HTML page, likely by supplying malicious web or media content processed by Chrome’s media pipeline. The bug allows memory to be read outside intended bounds during media handling, creating an information disclosure condition. The issue was reported by Luke Francis on 2026-02-09 and fixed in Chrome 145.0.7632.116.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to perform an out-of-bounds memory read in the browser process handling the vulnerable media content. This can disclose sensitive memory contents, including potentially user data or cryptographic material present in process memory. As reflected in the broader Chromium/Debian advisory context, such memory disclosure may also serve as a primitive in a larger exploit chain, although the specific confirmed impact in the provided content for CVE-2026-3061 is information disclosure via memory exposure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to untrusted web content. Practical mitigations from the provided content include restricting browsing to trusted sites, using web/network filtering to block malicious pages, isolating browser activity for high-risk users via sandboxed environments, VDI, or remote browser isolation, and monitoring endpoint telemetry for abnormal browser behavior or crashes that may indicate exploitation attempts. These are temporary risk-reduction measures and not substitutes for patching.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome to version 145.0.7632.116 or later. For Debian chromium packages, apply the vendor-fixed versions referenced in the provided content: 145.0.7632.116-1~deb12u1 for oldstable (bookworm) and 145.0.7632.116-1~deb13u1 for stable (trixie). Enterprises should prioritize deployment through browser management tooling and verify clients have updated successfully.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting Google Chrome).

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting Google Chrome; no technical details provided in the content).

Read more
cyberthroneNews
Feb 25, 2026
Google has fixed triple high severity flaws in Chrome - TheCyberThrone

A high-severity out-of-bounds read vulnerability in Google Chrome’s Media component that can allow remote attackers to read sensitive memory via crafted web content.

Read more
techrepublic com securityNews
Feb 24, 2026
Google Alerts Users to Serious Chrome Bugs With Takeover Risk

High-severity out-of-bounds read in Google Chrome’s Media component that could allow remote attackers to read memory via crafted web content/media, potentially enabling information disclosure and serving as a building block in exploit chains.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-3061
NVD
nvd.nist.gov/vuln/detail/CVE-2026-3061
MITRE CWE · CWE-125
Out-of-bounds Read
Release Notes
chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html
Issue Tracking
issues.chromium.org/issues/482862710