On February 18, 2026, Google released a stable channel tracking update for desktop, moving Chrome to 145.0.7632.109/110 (Windows/macOS) and 144.0.7559.109 (Linux), with a staggered rollout described as happening over the “next few days/weeks”
February 18 Desktop Update Fixes Three Additional CVEs
Table of Contents
Google’s February 18 desktop patch notes mention three security fixes in this release, in addition to CVE-2026-2441:
- CVE-2026-2648 (high): Buffer overflow in PDFium
- CVE-2026-2649 (high): Integer overflow in V8
- CVE-2026-2650 (Medium): Buffer overflow in Media
Extended Stable has been updated for Windows and macOS
Google also updated the Extended Stable channel on February 18, 2026, moving to version 144.0.7559.220 for Windows and Mac, again with a staggered rollout in the coming days/weeks.
Mobile: Chrome 145 updates also rolling out to Android and iOS
Along with updates for desktops, Google released stable updates for mobile phones:
- Android: Chrome 145 (145.0.7632.109), deployed via Google Play.
- iOS: Chrome Stable 145 (145.0.7632.108), deployed via the App Store.
Google Android’s note also reminds that Android versions contain the same security fixes as the corresponding desktop versions, unless otherwise noted.
CISA added CVE-2026-2441 to the catalog of known exploited vulnerabilities, with a March deadline
CVE-2026-2441 is now listed in CISA’s Catalog of Known and Exploited Vulnerabilities (KEV) ( ) The NVD page reflects the KEV metadata:
- Date added: 02/17/2026
- Due date: 03/10/2026
- Action Required: Apply mitigation measures in accordance with supplier instructions (or discontinue use if mitigation measures are not available).
CISA also publicly announced the addition of CVE-2026-2441 to the catalog as part of a batch update. The NVD record has been updated again, including a public PoC reference
The edit history of the NVD entry shows additional updates after the initial disclosure, including a CISA-ADP edit on 02/20/2026 that added a reference to a publicly released PoC link.
