Chrome's First 2026 Zero-Day
Google has released an emergency update for Chrome to address CVE-2026-2441, a high-severity use-after-free vulnerability in the browser's CSS handling component. The flaw has been actively exploited in the wild, making it the first Chrome zero-day that Google has patched in 2026.
Security researcher Shaheen Fazim discovered and reported the vulnerability on February 11, 2026. Google acknowledged that "an exploit for CVE-2026-2441 exists in the wild" and released a patch just two days later on February 13.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-2441 |
| CVSS Score | 8.8 (High) |
| Type | Use-After-Free (CWE-416) |
| Component | Chrome CSS Engine |
| Attack Vector | Network (crafted HTML page) |
| User Interaction | Required (visit malicious page) |
| Exploitation | Active — confirmed in the wild |
| Discoverer | Shaheen Fazim (Feb 11, 2026) |
| Patch Date | February 13, 2026 |
How the Exploit Works
Use-After-Free in CSS
A use-after-free vulnerability occurs when a program continues to reference memory after it has been freed. In Chrome's CSS engine:
- The CSS parser allocates memory for a style object
- Under specific conditions, the object is freed prematurely
- The freed memory is reallocated for attacker-controlled data
- Chrome's CSS engine references the now-attacker-controlled memory
- The attacker achieves arbitrary code execution within Chrome's sandbox
From Sandbox to System
While the initial exploit runs within Chrome's sandbox (a security boundary), it can be chained with:
- Sandbox escape vulnerabilities to break out to the operating system
- Privilege escalation bugs to gain elevated access
- The current six Microsoft zero-days for full Windows system compromise
Patched Versions
| Platform | Patched Version |
|---|---|
| Windows | Chrome 145.0.7632.75/76 |
| macOS | Chrome 145.0.7632.75/76 |
| Linux | Chrome 144.0.7559.75 |
How to Update
- Open Chrome and navigate to
chrome://settings/help - Chrome will check for updates and download automatically
- Click Relaunch to apply the update
- Verify the version number matches the patched version above
Impact Assessment
A successful exploit of CVE-2026-2441 enables:
| Attack Capability | Description |
|---|---|
| Malware delivery | Execute arbitrary code to install malware |
| Credential theft | Access stored passwords, cookies, and session tokens |
| Session hijacking | Take over authenticated sessions to banking, email, and other services |
| Cryptocurrency theft | Access browser-based crypto wallets |
| Lateral movement | Use compromised browser as pivot point into corporate networks |
Chrome Zero-Day Trend
Chrome zero-days continue to be a valuable commodity for both nation-state actors and commercial spyware vendors:
| Year | Chrome Zero-Days Patched | Notable Exploits |
|---|---|---|
| 2021 | 16 | Multiple chains used by commercial spyware |
| 2022 | 9 | State-sponsored campaigns targeting journalists |
| 2023 | 8 | Commercial spyware and APT campaigns |
| 2024 | 10 | Increased targeting of enterprise Chrome deployments |
| 2025 | 12 | Record year for Chrome zero-days |
| 2026 | 1 (so far) | CVE-2026-2441 — CSS use-after-free |
Enterprise Considerations
For IT Administrators
- Force Chrome updates via Group Policy or enterprise management tools
- Monitor for outdated Chrome instances — Unpatched browsers are immediate targets
- Review browser isolation strategies — Consider remote browser isolation for high-risk users
- Enable Chrome's Enhanced Safe Browsing to get real-time protection against known exploit sites
For Security Teams
- Hunt for IOCs associated with CVE-2026-2441 exploitation
- Check proxy/web filter logs for connections to known exploit kit infrastructure
- Correlate with endpoint detection — Look for post-exploitation behavior following browser process anomalies
- Update WAF rules if protecting web applications from being weaponized as delivery vectors
Key Takeaways
- First Chrome zero-day of 2026 — CVE-2026-2441 is a use-after-free in the CSS engine (CVSS 8.8)
- Actively exploited — Google confirms in-the-wild exploitation
- Two-day patch turnaround — Disclosed Feb 11, patched Feb 13
- Update Chrome immediately — Version 145.0.7632.75/76 on Windows/Mac, 144.0.7559.75 on Linux
- Chainable with other vulnerabilities for full system compromise
Sources
- The Hacker News — New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released
- Malwarebytes — Update Chrome Now: Zero-Day Bug Allows Code Execution via Malicious Webpages
- Help Net Security — Google Patches Chrome Vulnerability With In-the-Wild Exploit
- SecurityWeek — Google Patches First Actively Exploited Chrome Zero-Day of 2026