Vulnerability Overview
Google released an emergency security update on February 13, 2026 to patch a high-severity zero-day vulnerability in its Chrome browser. The flaw, tracked as CVE-2026-2441, is a use-after-free vulnerability in Chrome's CSS processing component that is being actively exploited in the wild. This marks the first actively exploited Chrome zero-day that Google has patched in 2026.
The vulnerability allows a remote attacker to execute arbitrary code inside Chrome's sandbox by luring a victim to a specially crafted HTML page. No authentication or complex user interaction is required beyond visiting the malicious page, which significantly increases the risk profile of this flaw.
Security researcher Shaheen Fazim discovered and reported the vulnerability to Google on February 11, 2026. Google acknowledged active exploitation in its Stable Channel Update advisory, stating that "an exploit for CVE-2026-2441 exists in the wild." No details about the threat actors involved, the targets, or the scope of exploitation have been disclosed.
Technical Details
CVE-2026-2441 is a use-after-free vulnerability that exists in Google Chrome's CSS processing component. A use-after-free condition occurs when a program continues to reference a memory pointer after the memory it points to has already been freed, leading to undefined behavior. In this case, Chrome's CSS engine fails to properly manage object lifecycles during CSS processing, which an attacker can exploit to corrupt memory and redirect program execution.
A remote attacker can trigger the vulnerability by crafting a malicious HTML page that exploits the flaw in Chrome's CSS handling. When a victim navigates to the attacker-controlled page, the use-after-free condition is triggered, allowing arbitrary code execution within Chrome's sandbox. While the sandbox limits the immediate impact, attackers frequently chain sandbox escapes with memory corruption bugs to achieve full system compromise.
Google has confirmed that an exploit for CVE-2026-2441 exists in the wild. Bug details and technical specifics remain restricted until a majority of users have updated. Google has also noted that restrictions will remain in place if the vulnerability exists in third-party libraries that other projects depend on but have not yet patched.
Affected Versions
The vulnerability affects all versions of Google Chrome prior to the patched releases listed below. Users of Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — are also potentially affected and should apply vendor-specific updates as they become available.
| Platform | Affected Versions | Patched Version |
|---|---|---|
| Windows | All versions prior to 145.0.7632.75 | 145.0.7632.75/76 |
| macOS | All versions prior to 145.0.7632.75 | 145.0.7632.75/76 |
| Linux | All versions prior to 144.0.7559.75 | 144.0.7559.75 |
Recommendations
- Update Google Chrome immediately. Navigate to
Menu → Help → About Google Chrometo verify your version and trigger the update. Relaunch the browser to apply the patch. - Update Chromium-based browsers. If you use Microsoft Edge, Brave, Opera, Vivaldi, or any other Chromium-based browser, check for and apply the latest security updates from the respective vendor.
- Enforce enterprise patch deployment. Organizations should push the updated Chrome version across managed endpoints immediately, prioritizing systems that handle sensitive data or have elevated network access.
- Monitor for anomalous browser behavior. Deploy or verify endpoint detection and response (EDR) tooling to identify potential exploitation attempts, including unusual child processes spawned by Chrome or unexpected network connections.
- Restrict access to untrusted sites. Consider implementing web filtering or DNS-level protections to reduce exposure to potentially malicious pages during the update rollout window.
Context
CVE-2026-2441 is the first actively exploited Chrome zero-day patched by Google in 2026. In 2025, Google addressed eight zero-day vulnerabilities in Chrome that were either actively exploited or demonstrated as proof-of-concept. The Hong Kong Computer Emergency Response Team (HKCERT) classified this vulnerability as "Extremely High Risk" in an advisory issued on February 16, 2026.
Browser-based vulnerabilities remain a high-value target for threat actors due to the ubiquity of web browsers and the broad attack surface they expose. Chrome processes untrusted web content continuously — every script, stylesheet, and image is parsed in real time — making memory safety issues in rendering components particularly dangerous.
){kind=link}