Google scrambles to patch flaws as exploit code goes public

On February 18, 2026, Google published a follow-up Stable Channel Update for Desktop, moving Chrome to 145.0.7632.109/110 (Windows/macOS) and 144.0.7559.109 (Linux), with a staged rollout described as occurring over “the coming days/weeks.”

The Feb. 18 desktop update fixed three additional CVEs

Google’s Feb. 18 desktop release notes list three security fixes in that build, separate from CVE-2026-2441:

• CVE-2026-2648 (High): Heap buffer overflow in PDFium
• CVE-2026-2649 (High): Integer overflow in V8
• CVE-2026-2650 (Medium): Heap buffer overflow in Media

Extended Stable was updated for Windows and macOS

Google also updated the Extended Stable channel on February 18, 2026, bumping it to 144.0.7559.220 for Windows and Mac, again with a staged rollout over the coming days/weeks.

Mobile: Chrome 145 updates rolled out on Android and iOS, too

Alongside the desktop updates, Google posted stable updates for mobile:

• Android: Chrome 145 (145.0.7632.109), rolling out via Google Play.
• iOS: Chrome Stable 145 (145.0.7632.108), rolling out via the App Store.

Google’s Android note also reiterates that Android releases contain the same security fixes as the corresponding desktop releases unless stated otherwise.

CISA added CVE-2026-2441 to the Known Exploited Vulnerabilities catalog, with a March deadline

CVE-2026-2441 is now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and the NVD page mirrors KEV metadata showing:

• Date Added: 02/17/2026
• Due Date: 03/10/2026
• Required action: apply mitigations per vendor instructions (or discontinue use if mitigations aren’t available).

CISA also publicly announced adding CVE-2026-2441 to the catalog as part of a batch update. The NVD record was updated again, including a public PoC reference

The NVD entry’s change history shows additional updates after the initial disclosure, including a CISA-ADP modification on 02/20/2026 that added a reference to a publicly posted PoC link.