Google is continuing to push new Chrome 145 Stable updates following its emergency response to CVE-2026-2441, a zero-day vulnerability that has already been exploited in the wild. After issuing the initial fix, the company has now released newer builds that include additional security patches across desktop and mobile, while the exploited flaw has also been added to a U.S. government-backed tracking catalog that urges faster remediation.
On February 18, 2026, Google published a follow-up Stable Channel update for desktop users. The rollout is staged, meaning it will reach everyone gradually over the coming days and weeks. The updated versions are Chrome 145.0.7632.109/110 for Windows and macOS, and Chrome 144.0.7559.109 for Linux.
This February 18 update doesn’t just ride on the momentum of the earlier emergency patch—it introduces three more security fixes that address separate vulnerabilities. Two of the issues are rated High severity and one is Medium, highlighting that the risk isn’t limited to the previously patched zero-day.
The three newly listed fixes are:
CVE-2026-2648 (High): Heap buffer overflow in PDFium
CVE-2026-2649 (High): Integer overflow in V8
CVE-2026-2650 (Medium): Heap buffer overflow in Media
Google also refreshed its Extended Stable channel on the same day, a track often used by organizations that prioritize fewer feature changes while still receiving important security updates. Extended Stable was bumped to version 144.0.7559.220 for Windows and macOS, and it’s also being delivered via a staged rollout over the coming days and weeks.
Chrome 145 updates aren’t limited to desktops, either. Google has pushed Stable releases to mobile platforms as well, ensuring Android and iPhone users aren’t left behind as security fixes land.
For mobile, the updates include:
Android: Chrome 145 (145.0.7632.109) via Google Play
iOS: Chrome Stable 145 (145.0.7632.108) via the App Store
Google also notes that Android releases typically include the same security fixes as the corresponding desktop versions unless the company specifically states otherwise—an important detail for users watching to see whether the latest desktop protections also apply on phones.
The bigger headline, however, is the escalating urgency around CVE-2026-2441. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, a key list used across U.S. government agencies and widely referenced by security teams. The listing signals that this is not theoretical risk—there is real-world exploitation, and patching should be treated as a priority.
The catalog metadata (mirrored in the public vulnerability record) includes:
Date Added: 02/17/2026
Due Date: 03/10/2026
Required action: apply mitigations per vendor instructions (or discontinue use if mitigations aren’t available)
Adding to the concern, the public vulnerability record was updated again after the initial disclosure, including an entry showing that a proof-of-concept reference has been added. When exploit details become more widely available, the likelihood of copycat attacks can increase, making it even more important for users and organizations to stay current with Chrome updates.
For most people, the takeaway is simple: if you use Google Chrome on Windows, macOS, Linux, Android, or iOS, make sure you’re on the latest available version as soon as it reaches your device. With an exploited Chrome zero-day already on official tracked lists and additional high-severity bugs fixed in the same Stable line, delaying updates can leave unnecessary openings for attackers.
