Google Patches Chrome Zero-Day Under Active Exploitation

Google released an emergency Chrome update on Friday to patch CVE-2026-2441, a high-severity use-after-free vulnerability in the browser's CSS rendering engine that attackers are actively exploiting in the wild. This marks the first actively exploited Chrome zero-day of 2026.

The vulnerability carries a CVSS score of 8.8 and allows remote attackers to execute arbitrary code inside Chrome's sandbox through a specially crafted HTML page. While sandbox containment limits the immediate blast radius, successful exploitation could be chained with additional bugs for full system compromise.

Technical Details

CVE-2026-2441 stems from improper memory management in Chrome's CSS processing component. Use-after-free bugs occur when code continues to reference memory after it's been freed, potentially allowing attackers to corrupt memory and hijack program execution.

Security researcher Shaheen Fazim discovered and reported the flaw to Google on February 11, 2026. Google acknowledged exploitation exists but—following standard practice—withheld specific details about attack targets or techniques to give users time to update.

Affected versions: Chrome prior to 145.0.7632.75

Fixed versions:

• Windows/macOS: 145.0.7632.75 or 145.0.7632.76
• Linux: 144.0.7559.75

The update should roll out automatically over the coming days, but users can force an immediate update through Chrome's Settings menu under "About Chrome."

Why CSS Rendering Bugs Matter

CSS rendering sits at the heart of how Chrome displays web content. Every webpage triggers CSS parsing and layout calculations, making this attack surface essentially universal. An attacker only needs to serve malicious CSS to a victim's browser—no user interaction required beyond visiting the wrong page.

The in-sandbox code execution limitation is real but shouldn't inspire complacency. Attackers regularly chain sandbox escapes with initial access bugs. Last month's February Patch Tuesday fixed multiple privilege escalation vulnerabilities that could serve exactly this purpose.

Exploitation Timeline Unknown

Google's advisory confirms wild exploitation but provides no details on scope, attribution, or attack targets. This is typical for zero-day disclosures—vendors prioritize getting patches out before explaining who's being attacked.

The five-day window between Fazim's February 11 report and Friday's patch is relatively fast for a high-severity browser bug. Google's Project Zero gives vendors 90 days by default, but actively exploited flaws get expedited handling.

Chrome's dominance—holding roughly 65% of global browser market share—makes it a high-value target. Browser zero-days regularly feature in commercial spyware and nation-state toolkits, though there's no current evidence linking CVE-2026-2441 to either. We've covered similar exploitation patterns in Apple's WebKit zero-day disclosures where commercial surveillance vendors were later implicated.

What You Should Do

1. Update Chrome immediately — Navigate to Settings > About Chrome and verify you're running version 145.0.7632.75 or later
2. Enable automatic updates if not already configured
3. Restart the browser after updating to apply the fix
4. Review Chromium-based browsers — Microsoft Edge, Brave, Opera, and other Chromium derivatives will need their own patches

For enterprise environments, CISA's Known Exploited Vulnerabilities catalog will likely add this CVE shortly given confirmed exploitation. Federal agencies should anticipate remediation deadlines.

Chrome's component update system can apply some security fixes without full browser updates, but this CSS engine patch requires a full version upgrade. Users running managed Chrome deployments should coordinate with IT to expedite rollouts.

The Broader Browser Security Picture

This is the first actively exploited Chrome zero-day Google has patched in 2026, but it won't be the last. Google fixed eight such vulnerabilities across 2025, with several traced to commercial surveillance vendors and state-sponsored operations.

For organizations concerned about browser-based attacks, browser isolation and strict Content Security Policy headers offer additional defense layers. Our endpoint detection and response guide covers how modern EDR solutions can detect suspicious browser behavior that signature-based tools miss.

The attack surface inherent in rendering untrusted web content means browser zero-days will remain a persistent threat. The best defense remains aggressive patching—which means updating Chrome today, not waiting for automatic rollouts.