Executive Summary
Google has patched CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome's CSS engine that is confirmed to be actively exploited in the wild. This is Chrome's first zero-day exploitation of 2026. The vulnerability allows remote attackers to execute arbitrary code inside the browser sandbox by tricking victims into visiting a crafted web page.
CVSS Score: 8.8 (High)
All Chrome users should update immediately to version 145.0.7632.75 or later.
Vulnerability Details
Root Cause
CVE-2026-2441 is a use-after-free (UAF) memory corruption bug in Chrome's CSS rendering component. The flaw occurs when:
- A CSS object is allocated and used during page rendering
- The object is freed (deallocated) during a specific rendering sequence
- The freed memory is subsequently referenced (used after free)
- An attacker can control what data occupies the freed memory
This pattern allows attackers to achieve arbitrary code execution within the Chrome renderer process.
Exploitation
| Vector | Details |
|---|---|
| Attack Vector | Network (remote) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (visit malicious page) |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Google confirmed: "An exploit for CVE-2026-2441 exists in the wild."
No details have been released on the threat actors, targets, or whether the exploit achieves sandbox escape.
Affected Versions
| Platform | Vulnerable Versions | Fixed Version |
|---|---|---|
| Windows | Chrome < 145.0.7632.75 | 145.0.7632.75/.76 |
| macOS | Chrome < 145.0.7632.75 | 145.0.7632.75/.76 |
| Linux | Chrome < 144.0.7559.75 | 144.0.7559.75 |
Chromium-based browsers (Edge, Brave, Opera, Vivaldi) may also be affected and should be updated when patches are available from their respective vendors.
Immediate Remediation
Update Chrome
- Navigate to
chrome://settings/help - Chrome will automatically download and install the update
- Click Relaunch to apply
Enterprise Deployment
# Force Chrome update check via Group Policy
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Update" -Name "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" -Value 1
# Trigger update
& "C:\Program Files\Google\Update\GoogleUpdate.exe" /ua /installsource schedulerIf Patching Is Delayed
- Enable Site Isolation — Verify at
chrome://flags/#enable-site-per-process - Enable Enhanced Safe Browsing — Settings → Privacy → Security → Enhanced protection
- Restrict browsing to trusted and known-good websites
- Monitor for exploitation — Check for crashes or unexpected renderer process behavior
Detection
Crash Indicators
Chrome use-after-free exploitation often causes renderer crashes. Check:
- Chrome crash reports:
chrome://crashes - Windows Event Log: Application crashes for
chrome.exe - Crash dump files in Chrome's user data directory
Network Indicators
Monitor for:
- Visits to recently registered domains serving complex CSS
- Large CSS payloads from untrusted sources
- Unexpected renderer process spawning
Timeline
| Date | Event |
|---|---|
| Feb 11, 2026 | Shaheen Fazim reports vulnerability to Google |
| Feb 13, 2026 | Google releases Chrome 145.0.7632.75/.76 |
| Feb 16, 2026 | Google confirms in-the-wild exploitation |