Skip to content

fix(chromium): CVE-2026-0628 #78362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
catmsred wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(chromium): CVE-2026-0628 #78362

catmsred wants to merge 1 commit into from
+3 −7

Conversation

@catmsred
Copy link
Member

@catmsred catmsred commented Jan 17, 2026

Switch back to upstream tarballs.

Bump chromium version.

Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/53301

@catmsred
Copy link
Member Author

catmsred commented Jan 17, 2026

Package version check is suggesting a version that is beta: https://github.com/chromium-linux-tarballs/chromium-tarballs/releases/tag/144.0.7559.59

@octo-sts
Copy link
Contributor

octo-sts bot commented Jan 17, 2026

🔍 Build Failed: Checksum Verification Failed

fetch: Expected sha512 does not match found: 5eb97b8559c6a141c93020f8b9a5835a926dd0ed3360ba975ba71c4bc9e1d97376332eac1eadaf224edfc9ab27c0c82ee74c6078e338aa8d0024fe4bf4353f9b

Build Details

Category Details
Build System melange
Failure Point SHA512 checksum validation during fetch operation

Root Cause Analysis 🔍

The downloaded Chromium tarball file has a different SHA512 hash than expected, indicating the file may be corrupted, modified, or the expected checksum in the build configuration is incorrect

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: chromium.yaml

  • modification at line 175 (pipeline section, fetch step)
    Original:
expected-sha512: 783f5bb97e62f8866c99dfd554856192d559a9a5876ede9289e1000163a2dd6ceb0d5321e9c4298bd29a2b4b32dfed5121f106120754ccb15a9c8ac239b3510f

Replacement:

expected-sha512: 5eb97b8559c6a141c93020f8b9a5835a926dd0ed3360ba975ba71c4bc9e1d97376332eac1eadaf224edfc9ab27c0c82ee74c6078e338aa8d0024fe4bf4353f9b

Content:

Update the expected SHA512 checksum for the Chromium tarball to match the actual file content
Click to expand fix analysis

Analysis

Based on the analysis of similar fixed build failures, I observe a clear and consistent pattern: all three examples show SHA512 checksum mismatches that were resolved by updating the expected-sha512 value in the fetch operation. In each case, the build configuration contained an outdated SHA512 checksum that did not match the actual file being downloaded. The fixes consistently updated the expected-sha512 field from the old incorrect value to the new correct value (765c326ccc1b87a01027385e69238266e356361cd4ee3e18e3c9d137a5d11fa5d657c164d02dd1be8fe693c8e10f2b580588dbfa57d27f070e2750f50d3e662c) that matches the actual file content.

Click to expand fix explanation

Explanation

This fix should work because the error message explicitly states that the expected SHA512 checksum (783f5bb97e62f8866c99dfd554856192d559a9a5876ede9289e1000163a2dd6ceb0d5321e9c4298bd29a2b4b32dfed5121f106120754ccb15a9c8ac239b3510f) does not match the found checksum (5eb97b8559c6a141c93020f8b9a5835a926dd0ed3360ba975ba71c4bc9e1d97376332eac1eadaf224edfc9ab27c0c82ee74c6078e338aa8d0024fe4bf4353f9b). This is identical to the pattern observed in all similar fixes where updating the expected-sha512 value to match the actual file checksum resolves the build failure. The found checksum indicates that the Chromium tarball file being downloaded has been updated or changed upstream, which is normal for releases, and the build configuration simply needs to be updated to reflect the correct checksum of the current file.

Click to expand alternative approaches

Alternative Approaches

  • Re-download the tarball manually to verify the checksum is consistent
  • Check if a different version of the Chromium tarball is available that matches the expected checksum
  • Verify the tarball source URL is correct and hasn't changed upstream

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 17, 2026
@catmsred
fix(chromium): CVE-2026-0628
ab40b5f 
Switch back to upstream tarballs.

Bump chromium version.

Relates: chainguard-dev/CVE-Dashboard#53301

<!--ci-cve-scan:fail-any-->
@catmsred catmsred force-pushed the chromium/CVE-2026-0628 branch from 52bfefe to ab40b5f Compare January 17, 2026 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR skip:package-version-check skip:staging-package-version-check

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@catmsred