Google has released emergency security updates for Chrome to address a high-severity zero-day vulnerability that is actively exploited in the wild.
The flaw, tracked as CVE-2026-2441, is the first Chrome zero-day disclosed in 2026 and impacts the browser’s CSS engine.
The update brings Chrome to version 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux, and is rolling out to users over the coming days and weeks. Google confirmed that an exploit for CVE-2026-2441 exists in the wild but has restricted technical details until a majority of users have applied the fix.
The vulnerability was reported by security researcher Shaheen Fazim on February 11, 2026, just two days before Google pushed the fix to the Stable channel. According to the National Vulnerability Database (NVD), the issue is a “use-after-free” bug in Chrome’s handling of CSS that allows a remote attacker to execute arbitrary code within the browser’s sandbox by tricking a victim into visiting a specially crafted HTML page.
Google Chrome is the world’s most widely used web browser, with billions of users across desktop and mobile platforms. Built on the open-source Chromium project, Chrome’s rendering engine processes complex web content, including HTML, JavaScript, and CSS, making memory safety a critical component of its security posture. While Chrome employs multiple exploit mitigations, including AddressSanitizer, MemorySanitizer, Control Flow Integrity (CFI), libFuzzer, and AFL for bug discovery and hardening, memory safety issues in complex components, such as CSS parsing, remain a recurring attack vector.
A use-after-free vulnerability occurs when a program continues to reference a memory location after it has already been freed or released back to the system. If an attacker can manipulate the memory layout, often through specially crafted web content, they may be able to place controlled data in the freed memory region. When the program later accesses that region, it may execute malicious code.
In the context of Chrome’s CSS engine, exploitation would typically involve a malicious webpage that triggers specific rendering behavior. By exploiting memory mismanagement during CSS parsing or layout calculations, an attacker could achieve arbitrary code execution within the browser’s sandboxed renderer process.
Google did not share information about how CVE-2026-2441 has been exploited in the wild, who may be behind the attacks, or whether they were targeted or widespread. As is customary with active zero-days, technical details and proof-of-concept information are being withheld to reduce the risk of further exploitation before patch adoption reaches a critical threshold.
Users are strongly advised to update Chrome immediately. You can verify your browser version and trigger an update by navigating to Settings → About Chrome, which will automatically download and install the latest version. A browser restart is required to complete the update process.
Leave a Reply