Google Patches Actively Exploited Chrome Zero-Day CVE-2026-2441 in CSS
Google released an out-of-band Chrome Stable update to fix CVE-2026-2441, a high-severity, actively exploited zero-day caused by a use-after-free in Chrome’s CSS processing. The flaw allows a remote attacker to trigger arbitrary code execution within Chrome’s sandbox via a crafted HTML page, making drive-by exploitation feasible if a user visits a malicious or compromised site. The issue is scored CVSS 8.8 and has been characterized as extremely high risk due to confirmed in-the-wild exploitation.
The patched versions include Chrome 145.0.7632.75 (and .76 per platform guidance) for Windows and macOS, and 144.0.7559.75 for Linux; organizations should prioritize rapid browser updates across managed endpoints. Public reporting credits Shaheen Fazim with discovering and reporting the vulnerability (reported Feb 11, 2026), while Google has not disclosed exploit details, threat actor attribution, or targeting information beyond confirming that an exploit exists in the wild.
Timeline
Feb 20, 2026
Public proof-of-concept for CVE-2026-2441 is released
A public PoC exploit for CVE-2026-2441 was released, demonstrating how the CSSFontFeatureValuesMap iterator invalidation bug could be triggered on unpatched systems. The disclosure provided additional technical detail on heap grooming and crash behavior across Windows, macOS, and Linux.
Feb 20, 2026
Debian releases chromium security update DSA-6146-1
Debian issued security advisory DSA-6146-1 for chromium, indicating downstream remediation for the Chrome/Chromium vulnerability set that included CVE-2026-2441. This reflected vendor patch propagation to Linux distributions.
Feb 18, 2026
Google publishes follow-up Chrome Stable Channel security advisory
Google published another Chrome security advisory covering newer Stable Channel versions for Windows, macOS, and Linux. Canada's Cyber Centre relayed the notice and recommended users apply the additional updates when available.
Feb 18, 2026
CISA adds CVE-2026-2441 to the KEV catalog
CISA added CVE-2026-2441 to its Known Exploited Vulnerabilities catalog, citing active exploitation. Federal civilian agencies were required to remediate the issue under Binding Operational Directive 22-01 by March 10, 2026.
Feb 16, 2026
Canada's Cyber Centre publishes advisory on exploited Chrome flaw
The Canadian Centre for Cyber Security published advisory AV26-130 referencing Google's February 13 advisory and warning that CVE-2026-2441 was exploited in the wild. It urged users and administrators to review Google's guidance and apply updates.
Feb 16, 2026
HKCERT issues alert rating CVE-2026-2441 as extremely high risk
HKCERT issued an alert warning that CVE-2026-2441 was under active exploitation and categorized it as an extremely high-risk browser vulnerability. The alert urged users to update affected Chrome installations promptly.
Feb 13, 2026
Google releases emergency Chrome update for CVE-2026-2441
Google published an out-of-band Stable Channel security update to fix CVE-2026-2441 and confirmed the vulnerability was being exploited in the wild. Fixed versions were released for Windows, macOS, and Linux, with technical details restricted until more users update.
Feb 11, 2026
Shaheen Fazim reports Chrome zero-day CVE-2026-2441 to Google
Security researcher Shaheen Fazim reported CVE-2026-2441 to Google. The flaw is a use-after-free / iterator invalidation bug in Chrome's CSS font feature handling that can be triggered via crafted HTML.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like cyberpress org, cyber security news, malwarebytes, cyberthrone and ca ccs
Related Stories
Google Chrome Zero-Day CVE-2026-2441 Exploited in the Wild
Google released an urgent *Chrome for Desktop* Stable Channel update to address **CVE-2026-2441**, a high-severity zero-day that Google said has an exploit **active in the wild**. The issue is a **use-after-free in Chrome’s CSS component**, a memory-corruption flaw that can enable code execution in the browser context when a user visits a malicious or compromised webpage; the vulnerability was reported to Google by researcher **Shaheen Fazim**. The Canadian Centre for Cyber Security echoed the need to patch Chrome, advising organizations to update beyond affected Stable Channel versions (Windows/Mac prior to `145.0.7632.68` and Linux prior to `144.0.7559.67`), while third-party reporting indicated patched Stable builds rolling out to `145.0.7632.75/.76` (Windows/Mac) and `144.0.7559.75` (Linux). Other Canadian Centre advisories published in the same period covered unrelated vendor patches for **Tenable Nessus Agent** (CVE-2026-2026), **Juniper Secure Analytics (JSA)**, **HPE SimpliVity** (Intel firmware advisories), and **PostgreSQL** point releases; these are separate remediation items and not part of the Chrome zero-day event.
1 months ago
Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent **Chrome stable channel** update to address two **high-severity zero-day vulnerabilities** that the company says are being **actively exploited in the wild**. The patched versions are `146.0.7680.75/76` for **Windows and macOS** and `146.0.7680.75` for **Linux**, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated. The two vulnerabilities are **CVE-2026-3909**, an **out-of-bounds write in Skia**, and **CVE-2026-3910**, an **inappropriate implementation in V8**. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to **arbitrary code execution**. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
1 months ago
Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two **high-severity zero-day vulnerabilities**, `CVE-2026-3909` and `CVE-2026-3910`, that are being **exploited in the wild**. Advisory reporting says the flaws can enable **data manipulation** and **security restriction bypass**, prompting a **high-risk** assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes. Technical reporting identifies `CVE-2026-3909` as an **out-of-bounds write** in **Skia**, Chrome’s graphics library, and `CVE-2026-3910` as an **inappropriate implementation** issue in the **V8 JavaScript and WebAssembly engine**. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for **Windows `146.0.7680.75`**, **macOS `146.0.7680.76`**, and **Linux `146.0.7680.75`**. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
1 months ago