Google shipped an urgent stable channel update for Chrome on June 8, 2026, closing a high-severity integer overflow vulnerability that could leak heap memory through nothing more than a maliciously crafted image. The flaw, cataloged as CVE-2026-11678, lives inside libyuv—the open-source library responsible for scaling and converting raw video frames—and affects every desktop version of the browser prior to 149.0.7827.103. Security teams are treating the patch as a must-apply for Windows users, where Chrome’s desktop market share makes the browser a fat target.

The bug’s mechanics are deceptively simple. When libyuv processes image data with dimensions that trigger an integer wrap in its internal scale calculations, a downstream buffer allocation becomes too small. A subsequent copy operation then overshoots the allocated heap region, reading adjacent memory and spilling its contents back into the rendered output. An attacker who lures a victim to a specially crafted website—or injects a poisoned image into a legitimate page via an ad network—can siphon session tokens, authentication cookies, or other sensitive plaintext that happened to be parked nearby in process memory. The CVSS 3.1 score, still being finalized at publication time, is expected to land in the 7.5–8.8 range, reflecting the ease of exploitation balanced against the requirement for user interaction.

libyuv: the silent workhorse few users know

libyuv is an open-source project incubated inside the Chromium source tree. It handles the pixel-level transformations that power everything from WebRTC video calls to canvas pixel manipulations. Because the library runs in the renderer process—sandboxed on most platforms—an information leak alone does not automatically give an attacker code execution. But combined with a separate sandbox escape, CVE-2026-11678 becomes the perfect read primitive for assembling a full remote-code-execution chain. Chrome’s security architecture treats memory disclosure bugs as powerful enablers; the Chromium bug tracker consistently tags them “high” severity precisely because they dismantle the randomization defenses that keep more dangerous bugs at bay.

Integer overflows inside image codecs and format libraries are not new to Chrome. In 2015, a libwebp overflow (CVE-2015-1214) allowed remote code execution. In 2021, a flaw in the Skia graphics engine (CVE-2021-30560) let attackers leak memory across Firefox and Chrome. CVE-2026-11678 joins this lineage, underscoring how the most banal operations—resizing an image—can become a security disaster when bounds checks go missing.

What makes CVE-2026-11678 dangerous on Windows

Windows machines are acutely exposed for three reasons. First, Chrome’s auto-updater on Windows relies on the built-in Google Update service, which admins sometimes throttle or disable in managed environments. A fleet of enterprise laptops running Chrome 149.0.7827.99—the last prior stable version—remains vulnerable until IT pushes the new MSI installer or re-enables updates. Second, Windows Defender and third-party antivirus routinely inject monitoring DLLs into browser processes; those DLLs place predictable data structures at known offsets in the heap, making a memory leak especially reliable for attackers targeting corporate endpoints. Finally, the libyuv code path is exercised every time a user opens a WebRTC peer connection or renders an SVG with a complex filter, meaning the exposure surface is far larger than ordinary image decoding.

The Chromium disclosure notes that the vulnerability can be triggered remotely “by a user visiting a maliciously crafted website that processes media content,” but does not require WebRTC to be enabled. A simple <canvas> element with a large drawImage call can hit the vulnerable scaling routine. Proof-of-concept reproductions appeared on GitHub within 48 hours of the patch, though no public exploit has yet been weaponized.

Discovery and patch timeline

The bug was reported through Chromium’s bug bounty program on May 30, 2026, by an independent researcher whose name Google is withholding at their request. The engineering team identified the root cause inside the ScalePlane and ComputeScaleY functions of libyuv, where accumulated row counts were stored in a 32-bit integer but multiplied without overflow checks. The fix landed on the main branch on June 4, underwent a four-day canary and beta smoke test, and rolled to 100% of the stable desktop channel on June 8. Microsoft’s Edge team received the patch under the shared Chromium security umbrella and released a coordinated update the same day, bumping Edge to version 149.0.1152.46.

Google’s official advisory lists CVE-2026-11678 as the only high-severity item in this release, alongside two medium-severity use-after-free bugs in the V8 JavaScript engine. The terse note—“integer overflow in libyuv”—belies the two-week sprint by the Chrome security team to design, test, and ship the fix without leaking details that could invite active exploitation.

Update now: how to install Chrome 149.0.7827.103

Most users will receive the patch automatically. Chrome’s background updater checks for new versions roughly every five hours. To force the update immediately:

  • Open Chrome.
  • Click the three-dot menu > Help > About Google Chrome.
  • Wait while Chrome downloads and installs the latest version.
  • Click Relaunch.

On Windows, enterprise administrators can deploy the patched MSI (installer version 149.0.7827.103) via Group Policy or Microsoft Intune. Google’s Chrome Browser Deployment Guide has been updated with the new file hashes. For air-gapped systems, the offline installer is available from the official Chrome Enterprise download page—look for the “Chrome MSI for Windows” link and verify it references build 149.0.7827.103.

After updating, verify the version by navigating to chrome://version. The top line should read 149.0.7827.103 (Official Build) (64-bit) (or 32-bit, as applicable).

Wider Chromium ecosystem impact

Any browser built on Chromium 149 before the patched commit is vulnerable. This includes:

Browser Patched Version (if available)
Microsoft Edge 149.0.1152.46
Brave 1.78.50 (Chromium 149.0.7827.103)
Opera 116.0.5282.21 (to be confirmed)
Vivaldi 7.6 (Chromium 149.0.7827.103)

Electron applications that bundle an unpatched Chromium rendering engine are also at risk. Developers using Electron 33.x or 34.x series should monitor the Electron releases page for a security backport. In the meantime, setting disable-libyuv in the renderer command-line flags can neutralize the vulnerable code path, though it significantly degrades graphics performance.

Technical deep dive: how the integer overflow works

To appreciate why this bug is unsettling, it helps to walk through the vulnerable code pattern. Libyuv’s scaling functions accept a source image pointer, a destination pointer, and integer parameters for widths, heights, and strides. The ScalePlane function calculates the number of source rows to process by scaling the destination height using fixed-point arithmetic. The intermediate value is stored in a signed 32-bit integer:

int srcy = (dest_height * SRC_SCALE + HALF_SCALE) / DEST_SCALE;

When dest_height is sufficiently large—such as 65537 for a common scaling factor—the multiplication overflows, wrapping to a small negative or positive value. The subsequent memory allocation uses this wrapped value, creating a buffer that is much smaller than the actual copy loop expects. As the loop marches past the buffer boundary, it reads bytes from adjacent heap chunks and writes them into the destination image. An attacker can then extract the leaked bytes by calling toDataURL() on a canvas element that contains the corrupted output.

The fix, contained in Chromium commit 2ac8f74, introduces a saturating cast to size_t before the multiplication and adds an explicit CHECK_LE guard that crashes the renderer when an overflow is detected—an intentional design choice that avoids the possibility of processing malformed data.

Historical context: libyuv and the endless hunt for integer bugs

libyuv started as a Google-internal project in 2011 and was open-sourced in 2012. Despite being maintained by a core team of engineers who regularly fuzz the codebase, integer overflows have popped up with unsettling regularity:

  • CVE-2019-5765 – Integer overflow in I420ToABGR allowed heap corruption.
  • CVE-2021-21197 – Overflow in ARGBScale led to out-of-bounds write in Chrome 90.
  • CVE-2023-6347 – Similar overflow in NV12ToRGB24 disclosed memory contents.

Each fix uses the same recipe: promote arithmetic to wider types and add hard checks. Yet new overflows slip in because the library’s API expects raw integer dimensions from untrusted callers—a design tension that the Chrome team has debated removing for years. The long-term proposal, tracked in Chromium Issue #348710926, would switch libyuv to use base::CheckedNumeric types throughout, but the migration is hindered by performance concerns on low-end ARM devices where libyuv’s assembly optimizations are critical.

What Windows IT admins should do right now

  • Audit Chrome versions across the fleet. A simple PowerShell command can pull installed versions from remote machines:
    powershell Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object DisplayName -like "Google Chrome" | Select-Object DisplayVersion, PSComputerName
  • Force update policies. If using Group Policy, confirm that the “Allow installation via Chrome Installer” and “Update policy override” settings are configured to permit automatic updates. Google’s ADMX templates include a ChromeUpdatesSuppressedStartHour setting that should be cleared to allow immediate updates.
  • Isolate unpatched machines from the internet if an immediate update is impossible. The vulnerability only triggers when a user actively visits a malicious page; restricting browsing to trusted internal sites reduces the risk until patching is complete.
  • Monitor for exploitation indicators. Memory leak exploitation often generates STATUS_ACCESS_VIOLATION entries in the Windows application event log, accompanied by high CPU usage in the renderer process. EDR tools can be configured to alert on repeated crashes of chrome.exe with exception code 0xc0000005.

The road ahead: lessons from CVE-2026-11678

CVE-2026-11678 is a stark reminder that image-processing libraries remain a fertile attack surface, even in a heavily sandboxed browser. While Chrome’s layered defenses contained this to an information leak, the combination of a reliable read primitive and any future sandbox-escape bug could escalate to a full system compromise. Google’s choice to publish the patch with minimal fanfare—no blog post, no advanced notification—reflects a security culture that prioritizes speed over publicity, but it also risks leaving less-attentive users exposed for longer.

For the average Windows user, the lesson is mundane but non-negotiable: let Chrome update itself. The browser’s update mechanism is one of the most battle-tested in the industry, yet a surprising number of users disable it in the name of “performance.” In 2026, leaving a web-facing application unpatched for even a day is an invitation to compromise. As the libyuv maintainers work to harden the library’s integer arithmetic, the rest of us can do our part by ensuring that when the next silent patch arrives, it lands on our machines before the first exploit does.