ISN 2026-04: Chromium Vulnerabilities Exploited in the Wild

First published 24 February 2026

CVSS:3.1: 8.8 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in Chromium, a web browser used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

A use-after-free vulnerability has been found in Chromium’s CSS component (CVE-2026-2441, high). This could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google reports that this issue is being exploited in the wild. CVE-2026-2313 (high) is another use-after-free in CSS, but it is not known to be attacked.

Other vulnerabilities are a heap buffer overflow in Codecs (CVE-2026-2314, high) and an inappropriate implementation in WebGPU (CVE-2026-2315, high). The Libvpx library suffers from a heap buffer overflow (CVE-2026-1861, high), and the V8 JavaScript engine contains a type confusion (CVE-2026-1862, high). Finally, an inappropriate implementation has been found in the Background Fetch API (CVE-2026-1504, high).

Update Instructions

• OS 12: Update to Chromium app version 145.0.7632.75 or newer when available from the IGEL App Portal.

• OS 11: Update to IGEL OS 11.11.150.

References

• Chrome Release Blog: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html

• Chrome Release Blog: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html

• Chrome Release Blog: https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html