Google has released an emergency update to patch an actively exploited zero-day—the first Chrome zero-day of the year.
The post Update Chrome now: Zero-day bug allows code execution via malicious webpages appeared first on Security Boulevard.
Right after Apple’s CVE-2026-20700 zero-day under active exploitation made headlines, Google released security updates for Chrome to address the first actively exploited Chrome zero-day of 2026.
The high-severity flaw, tracked as CVE-2026-2441, is a use-after-free vulnerability in Chrome’s CSS component. NIST’s NVD description notes that the issue could allow a remote attacker to execute arbitrary code inside the sandbox via a crafted HTML page. In fact, a user only needs to land on a maliciously-crafted page for the attacker to trigger the bug and run code within the browser’s sandboxed environment.
Zero-day exploitation is rising. In 2024, Google’s Threat Intelligence Group reported 75 zero-days exploited in real attacks, and by 2025 exploits were still the top initial access method, accounting for 33% of intrusion paths. In that context, browser vulnerabilities remain a persistent threat for defenders. Browsers are everywhere, they continuously handle untrusted web content, and the trigger can be as simple as a user opening a link.
Sign up for SOC Prime Platform to access the global marketplace of 750,000+ detection rules and queries made by detection engineers, updated daily, and enriched with AI-native threat intel to proactively defend against existing and current threats anticipated most. Just click the Explore Detections below and immediately reach the extensive detection stack filtered out by “CVE” tag. All detections are compatible with dozens of SIEM, EDR, and Data Lake formats and are mapped to MITRE ATT&CK®.
Security experts can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.
Google’s advisory notes that a fix for CVE-2026-2441 was delivered in the Stable channel update released on February 13, 2026. The patched builds are Chrome 145.0.7632.75/76 for Windows and macOS and 144.0.7559.75 for Linux, with rollout expected over the following days and weeks.
Google has shared very little technical detail, but it has confirmed it is aware of in-the-wild exploitation of CVE-2026-2441. Security researcher Shaheen Fazim has been credited with discovering and reporting the issue on February 11, 2026.
Users are advised to update Chrome to the fixed build on every endpoint and make sure the browser is restarted so the patched version is actually running. Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats.
What is CVE-2026-2441 and how does it work?
CVE-2026-2441 is a high-severity use-after-free vulnerability in Chrome’s CSS component that can be triggered by a crafted HTML page and used to execute arbitrary code inside the Chrome sandbox.
When was CVE-2026-2441 first discovered?
Google’s Chrome release notes credit Shaheen Fazim with reporting the issue on February 11, 2026, and the Stable channel fix shipped on February 13, 2026.
What risks does CVE-2026-2441 pose to organizations?
Because exploitation is confirmed in the wild, the risk is practical and immediate. A successful exploit can turn normal browsing into an entry point for malware delivery, credential theft through session hijacking or token access, and follow-on compromise when paired with additional vulnerabilities or social engineering.
Can CVE-2026-2441 still affect me in 2026?
Yes. Any system running Chrome versions prior to 145.0.7632.75/76 for Windows and macOS and 144.0.7559.75 for Linux, or systems that downloaded the update but have not restarted Chrome, can remain exposed.
How can you protect from CVE-2026-2441?
Update Chrome to the latest Stable build for your OS and restart the browser to apply it, then verify version compliance across endpoints.
The post CVE-2026-2441: Google Patches Chrome Zero-Day Exploited in the Wild appeared first on SOC Prime.
Google has issued a patch for a high‑severity Chrome zero‑day, tracked as CVE‑2026‑2441, a memory bug in how the browser handles certain font features that attackers are already exploiting.
CVE-2026-2441 has the questionable honor of being the first Chrome zero-day of 2026. Google considered it serious enough to issue a separate update of the stable channel for it, rather than wait for the next major release.
The latest version number is 145.0.7632.75/76 for Windows and macOS, and 145.0.7632.75 for Linux. So, if your Chrome is on version 145.0.7632.75 or later, it’s protected from these vulnerabilities.
The easiest way to update is to allow Chrome to update automatically. But you can end up lagging behind if you never close your browser or if something goes wrong, such as an extension preventing the update.
To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.
You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.
Google confirms it has seen active exploitation but is not sharing who is being targeted, how often, or detailed indicators yet.
But we can derive some information from what we know.
The vulnerability is a use‑after‑free issue in Chrome’s CSS font feature handling (CSSFontFeatureValuesMap), which is part of how websites display and style text. More specifically: The root cause is an iterator invalidation bug. Chrome would loop over a set of font feature values while also changing that set, leaving the loop pointing at stale data until an attacker managed to turn that into code execution.
Use-after-free (UAF) is a type of software vulnerability where a program attempts to access a memory location after it has been freed. That can lead to crashes or, in some cases, lets an attacker run their own code.
The CVE-record says, “Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.” (Chromium security severity: High)
This means an attacker would be able to create a special website, or other HTML content that would run code inside the Chrome browser’s sandbox.
Chrome’s sandbox is like a secure box around each website tab. Even if something inside the tab goes rogue, it should be confined and not able to tamper with the rest of your system. It limits what website code can touch in terms of files, devices, and other apps, so a browser bug ideally only gives an attacker a foothold in that restricted environment, not full control of the machine.
Running arbitrary code inside the sandbox is still dangerous because the attacker effectively “becomes” that browser tab. They can see and modify anything the tab can access. Even without escaping to the operating system, this is enough to steal accounts, plant backdoors in cloud services, or reroute sensitive traffic.
If chained with a vulnerability that allows a process to escape the sandbox, an attacker can move laterally, install malware, or encrypt files, as with any other full system compromise.
To protect your device against attacks exploiting this vulnerability, you’re strongly advised to update as soon as possible. Here are some more tips to avoid becoming a victim, even before a zero-day is patched:
Users of other Chromium-based browsers can expect to see a similar update.
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
Google has released urgent security updates to address a high-severity zero-day vulnerability, tracked as CVE-2026-2441, in Chrome that is already being exploited in real-world attacks. The flaw is a use-after-free bug in the browser’s CSS component.
This is the first actively exploited Chrome zero-day fixed in 2026, after eight similar flaws were patched in 2025.
“Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.” reads the description of the vulnerability provided by NIST’s National Vulnerability Database (NVD).
An attacker could exploit the flaw to compromise affected systems. The issue was discovered and responsibly reported by security researcher Shaheen Fazim on February 11, 2026.
“CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11.” reads the Google’s advisory. “Google is aware that an exploit for CVE-2026-2441 exists in the wild.”
Google has confirmed that an exploit for CVE-2026-2441 exists in the wild, but has not shared details about how it is being used or which threat actor is behind the exploitation of the flaw.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also install updates once available. Chrome’s Stable channel has been updated to versions 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux, with the rollout happening over the coming days and weeks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Chrome zero-day CVE-2026-2441)
Entrar