vulnerability🌐InternationalThe Hacker News
Google Patches Actively Exploited Chrome Zero-Day (CVE-2026-2441)
Tuesday, February 17, 2026
What
A critical use-after-free vulnerability (CVE-2026-2441) in Chrome's CSS component has been actively exploited, enabling remote attackers to execute arbitrary code within a sandbox. This flaw is significant as it represents the first zero-day patched by Google for Chrome in 2026, highlighting the persistent threat of browser-based exploits.
Where
Google Chrome users on Windows, macOS, and Linux are directly affected. Other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also impacted and advised to apply fixes.
When
Discovered and reported by Shaheen Fazim on February 11, 2026. Google released emergency updates on February 13 or 14, 2026.
Key Factors
- •The vulnerability is a use-after-free bug in CSS, specifically an iterator invalidation issue in CSSFontFeatureValuesMap, allowing for arbitrary code execution.
- •Google's patch for CVE-2026-2441 was "cherry-picked" into stable releases to address the immediate exploitation, with indications of "remaining work" on related issues.
- •This marks the first actively exploited Chrome zero-day patched in 2026, following eight similar flaws addressed in 2025, underscoring a continuous threat landscape.
Takeaways
- →Users must immediately update Google Chrome to versions 145.0.7632.75/76 (Windows/macOS) or 144.0.7559.75 (Linux) to mitigate active exploitation risks.
- →Users of other Chromium-based browsers should monitor and apply updates from their respective vendors as soon as they become available.
