Critical Zero-Day Vulnerability Discovered in Google Chrome
A newly identified risk, tracked as CVE-2026-2441, exposes a serious zero-day vulnerability in Google Chrome, affecting millions across various operating systems. The flaw is actively exploited, enabling attackers to execute arbitrary code within the browser’s sandbox environment.
CVE-2026-2441 is a use-after-free vulnerability found in the CSS component of Google Chrome. This vulnerability arises from an iterator invalidation flaw in the CSSFontFeatureValuesMap, which governs CSS font values. By exploiting this weakness, attackers gain the ability to re-access already released memory, allowing them to manipulate heap memory layout effectively. When users visit malicious webpages containing specifically crafted CSS, this defect can be triggered during style recalculations. Importantly, exploitation requires no additional user interaction beyond the initial visit, heightening the risk of successful attacks.
Reported to Google on February 11, 2026, the vulnerability was acknowledged to be actively exploited in the wild even before a patch was formulated, thus categorizing it as a zero-day. While its impact is currently confined to code execution within Chrome’s sandbox, there are concerns that advanced attackers could combine this flaw with other vulnerabilities to escape the sandbox and potentially compromise entire systems.
To mitigate risks, users are advised to promptly upgrade to Google Chrome versions 145.0.7632.75 or 145.0.7632.76 for Windows/macOS or 144.0.7559.75 for Linux. It’s crucial to ensure that automatic updates are enabled and to monitor browser behavior for any abnormal activities.
Why this matters: This zero-day vulnerability poses significant risk to end-users worldwide, as it allows attackers to execute code without direct user interaction, increasing the likelihood of successful exploitation. Defenders must prioritize updating affected systems and monitor for unusual behaviors to safeguard their environments.
Indicators of Compromise (IOCs): No specific IOCs were mentioned in the article.
