Google has released an emergency security update for Chrome to address CVE-2026-2441, a high-severity use-after-free vulnerability that is already being exploited in the wild. This marks the first actively exploited zero-day in Chrome that Google has patched in 2026, underscoring the ongoing threat that browser-based vulnerabilities pose to organizations worldwide.
The Vulnerability: Use-After-Free in CSS
CVE-2026-2441 is classified as a use-after-free (UAF) bug in Chrome’s CSS handling component. With a CVSS score of 8.8 (High), the vulnerability allows a remote attacker to execute arbitrary code inside the browser sandbox via a specially crafted HTML page.
According to the NIST National Vulnerability Database, the flaw affects Google Chrome versions prior to 145.0.7632.75. The vulnerability was discovered and reported by security researcher Shaheen Fazim on February 11, 2026—just two days before Google released the patch.
Active Exploitation Confirmed
Google has confirmed that “an exploit for CVE-2026-2441 exists in the wild,” though the company has not disclosed details about:
- Who is exploiting the vulnerability
- The targeted victims or industries
- The nature of the attacks
This information withholding is typical for actively exploited vulnerabilities, giving users time to patch before attack details become widely known.
Historical Context
Browser-based vulnerabilities remain highly attractive targets for threat actors due to their ubiquity and broad attack surface. In 2025, Google addressed eight zero-day flaws in Chrome that were either actively exploited or demonstrated as proof-of-concept exploits.
The rapid turnaround—from researcher disclosure on February 11 to patch release on February 13—demonstrates Google’s commitment to addressing critical security issues, but also highlights how quickly attackers can weaponize browser vulnerabilities.
Immediate Actions Required
Update Chrome immediately to the following versions:
- Windows and macOS: 145.0.7632.75/76
- Linux: 144.0.7559.75
To update, navigate to Menu → Help → About Google Chrome and click Relaunch after the update downloads.
Other Chromium-Based Browsers
Users of other Chromium-based browsers should also apply updates as they become available:
- Microsoft Edge
- Brave
- Opera
- Vivaldi
Security Recommendations
For enterprise security teams:
- Deploy the patch immediately across all managed Chrome installations
- Monitor for exploitation indicators in your SIEM/EDR solutions
- Review browser policies to ensure auto-updates are enabled
- Consider browser isolation for high-risk users accessing untrusted content
The rapid weaponization of this vulnerability reinforces the importance of maintaining aggressive patching cadences for browsers and other internet-facing applications.
Source: The Hacker News
