CVE-2026-0900 Overview
CVE-2026-0900 is a high-severity vulnerability in the V8 JavaScript engine used by Google Chrome. The flaw stems from an inappropriate implementation in V8 that allows a remote attacker to trigger object corruption through a crafted HTML page. Google patched the issue in Chrome 144.0.7559.59 and credits the Chromium security team with a High severity rating.
The vulnerability affects Chrome installations across Windows, macOS, and Linux. Successful exploitation requires the victim to visit an attacker-controlled web page, satisfying the user interaction requirement reflected in the CVSS vector.
Critical Impact
Remote attackers can corrupt V8 engine objects via a malicious HTML page, potentially leading to arbitrary code execution within the renderer process and full compromise of browser-handled data.
Affected Products
- Google Chrome versions prior to 144.0.7559.59
- Chrome on Microsoft Windows, Apple macOS, and Linux desktop platforms
- Chromium-based browsers that ship the vulnerable V8 build
Discovery Timeline
- 2026-01-20 - CVE-2026-0900 published to the National Vulnerability Database (NVD)
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-0900
Vulnerability Analysis
The vulnerability resides in V8, the open-source JavaScript and WebAssembly engine that powers Chrome. Google's advisory describes the root cause as an inappropriate implementation that enables object corruption when V8 processes content from a crafted HTML page. Object corruption in V8 typically allows an attacker to violate type assumptions the engine relies on during just-in-time (JIT) compilation or optimized code paths.
Once an attacker corrupts a JavaScript object's internal representation, they can construct primitives that read and write arbitrary memory inside the renderer process. These primitives are commonly chained to bypass V8 sandboxing and achieve renderer-side code execution. A second sandbox-escape vulnerability would be required to reach the host operating system, but renderer compromise alone exposes cookies, session tokens, and same-origin data.
Root Cause
The advisory categorizes the flaw under [CWE-NVD-noinfo] because Google withholds detailed technical information until the majority of users have updated. Based on the "inappropriate implementation" wording, the defect involves incorrect logic in a V8 component rather than a classic memory safety bug. Such logic errors frequently surface in the optimizing compiler, garbage collector, or builtin object handlers.
Attack Vector
Exploitation requires a victim to load attacker-controlled HTML in a vulnerable Chrome build. The attacker hosts JavaScript that triggers the flawed V8 code path, corrupts an internal object, and pivots to memory disclosure or code execution. Typical delivery methods include malvertising, watering-hole sites, and phishing links pointing to attacker-operated domains.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Chromium Issue Tracker Entry once Google removes restrictions for additional technical details.
Detection Methods for CVE-2026-0900
Indicators of Compromise
- Chrome renderer process crashes or unexpected restarts shortly after visiting unfamiliar web pages
- Outbound network connections from chrome.exe child processes to recently registered or low-reputation domains
- JavaScript payloads referencing unusual ArrayBuffer, Map transitions, or aggressive JIT warm-up loops in browser cache artifacts
Detection Strategies
- Inventory Chrome versions across endpoints and flag any installation below 144.0.7559.59
- Hunt for child processes spawned by the Chrome renderer that perform discovery commands such as whoami, net user, or PowerShell execution
- Correlate browser telemetry with proxy logs to identify users who visited domains shortly before anomalous endpoint behavior
Monitoring Recommendations
- Enable browser management policies that report installed Chrome versions to a central console
- Forward endpoint process and network telemetry to a SIEM for correlation against known malicious browser-exploit infrastructure
- Monitor for unusual file writes under Chrome user data directories that could indicate persistence following renderer compromise
How to Mitigate CVE-2026-0900
Immediate Actions Required
- Update Google Chrome to version 144.0.7559.59 or later on all Windows, macOS, and Linux endpoints
- Restart Chrome after the update to ensure the patched V8 binary is loaded into memory
- Apply equivalent updates for Chromium-derived browsers such as Microsoft Edge, Brave, and Opera once vendors ship matching builds
Patch Information
Google released the fix in the Stable channel update announced on January 13, 2026. Details are published in the Google Chrome Update Announcement. Enterprises using managed Chrome deployments should validate that auto-update is enabled and that the 144.0.7559.59 build has rolled out across the fleet.
Workarounds
- Block access to untrusted websites through web proxy or DNS filtering until patches are deployed
- Apply the DefaultJavaScriptSetting enterprise policy to disable JavaScript on high-risk user groups as a temporary control
- Enforce Site Isolation and the --site-per-process flag to limit cross-origin data exposure if renderer compromise occurs
# Verify the installed Chrome version on Linux endpoints
google-chrome --version
# Enterprise policy example (Windows registry) to disable JavaScript on legacy hosts
reg add "HKLM\Software\Policies\Google\Chrome" /v DefaultJavaScriptSetting /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
