Chrome 145 brings back JPEG XL

Contents

Google has released Chrome 145 for Windows, macOS, and Linux. The version includes some minor new features and closes eleven security vulnerabilities, including three high priority ones. Most importantly, however, the new version of the browser brings back support for the JPEG XL image format, which Google had officially refused for a long time.

JPEG XL: From removal to return

Google had removed support for the format in Chrome 110 at the beginning of 2023, with the justification that there was too little interest in the ecosystem and insufficient advantages over existing formats. The decision met with massive criticism: over 1000 upvotes in the Chromium bug tracker protested against the removal, and the Free Software Foundation criticized the decision as a restriction of user choice. Jon Sneyers, co-developer of JPEG XL, suspected an internal conflict at Google between JPEG XL proponents and representatives of the competing Google formats AVIF and WebP.

JPEG XL was developed as a modern standard for image compression and is based on Google's PIK and Cloudinary's FUIF. The standard was finalized in December 2020 and adopted as an international standard in October 2021. The format offers higher compression rates than JPEG, supports lossless compression, and is open and royalty-free. JPEG XL was already available experimentally from Chrome 91 with a feature flag.

The re-evaluation began in November 2025, when the Chromium team announced its resumption. Several factors were decisive: Apple had implemented JPEG XL support in Safari, Mozilla had abandoned its neutral stance, and the PDF Association had included the format in PDF specifications as recommended in October 2025. Technically, Chromium plans to integrate “jxl-rs,” a Rust-based JPEG XL decoder. Google is already using the format in practice: the Google Cloud Platform DICOM API uses JPEG XL to reduce file size by 20 percent.

New features in Chrome 145

Chrome 145 also brings various new features. Column wrapping for Multicol enables vertical column layout and 2D column layout. Device bound session credentials better protect user sessions. The new Origin API simplifies working with origins. For CSS, the browser now supports the text-justify property for better control over text alignment in justified text, as well as percentage values for letter-spacing and word-spacing for responsive typography.

Further innovations include optimized shadow calculation for high border-radius values, new event handlers such as onanimationcancel for CSS animations, and the focusVisible option for controlling the focus ring display. The customizable-select element improves listbox rendering, while monochrome emojis in forced-colors mode improve display.

Fixed security vulnerabilities

Three vulnerabilities classified as "High Severity" are particularly critical. CVE-2026-2313 affects a use-after-free error in CSS, CVE-2026-2314 describes a heap buffer overflow in the codecs, and CVE-2026-2315 a faulty implementation in WebGPU. All three vulnerabilities can be exploited through manipulated HTML pages and achieve a CVSS score of 8.8. For reporting CVE-2026-2313, Google paid US$8,000 to researchers Han Zheng, Wenhao Fang, and Qinying Wang.

The medium-severity security vulnerabilities include, among others, CVE-2026-2316, which allows UI spoofing in frames, and CVE-2026-2317, which permits cross-origin data leakage in the animation implementation. A race condition in DevTools (CVE-2026-2319) could enable object corruption via malicious extensions. In total, Google paid between $500 and $8,000 in bounties for the reported vulnerabilities.

All information about the new version 145 can be found in the release notes. Users should update Chrome promptly, as the security vulnerabilities can be exploited remotely via manipulated websites. Chrome usually updates automatically, but users can manually initiate the update via “Settings/About Google Chrome.”

(fo)