Guy Zyskind emphasized that the whitepaper reframes the conversation around quantum threats, stating that the traditional 10-year migration window now seems dangerously optimistic given Google's findings.
The first vulnerability, CVE-2026-4673, is a heap buffer overflow issue in WebAudio that earned the reporting researcher a $7,000 bug bounty reward. Google has yet to determine the bounty amount for CVE-2026-4677, another bug reported by the same researcher.
CVE-2026-3909 is an out-of-bounds write flaw in Skia, the graphics library Chrome uses to render web content and parts of its user interface. Memory corruption bugs like this can sometimes be abused by attackers to crash applications or run their own code if successfully exploited.
Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild. CVE-2026-3909 is described as an out-of-bounds write defect in the Skia graphics library. It could be triggered via malicious HTML pages to corrupt memory, which could lead to arbitrary code execution or crashes.
Gene Moody, field CTO at Action1, explained that, in this vulnerability, a browser frees an object, but later continues to use the stale reference memory location. Any attacker who can shape heap layout with controlled content can potentially replace the contents of that freed memory with data they control. Because this lives in the renderer, and is reachable through normal page content, he said, the trigger surface is almost absolute.
Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs. First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward. The two other high-severity defects, tracked as CVE-2026-2314 and CVE-2026-2315, were found and reported by Google and are described as a heap buffer overflow in Codecs and an inappropriate implementation in WebGPU, respectively.
