Critical Chrome Zero-Day Exploited
Google has issued an urgent patch for a high-severity zero-day vulnerability in Chrome, identified as CVE-2026-2441. The memory bug, located in the browser's font feature handling, is being actively exploited in the wild. The flaw allows for code execution through malicious webpages, and immediate updates are advised for all users.
- This is the first actively exploited zero-day vulnerability discovered in Chrome in 2026. In 2025, Google addressed eight zero-day flaws in its browser. - The vulnerability was discovered and reported on February 11, 2026, by security researcher Shaheen Fazim. Google released a patch to address the issue just two days later on February 13, 2026. - The bug is classified as a "use-after-free" vulnerability within the Cascading Style Sheets (CSS) engine of the browser. This type of flaw can lead to memory corruption when the browser tries to access memory that has already been deallocated. - Exploitation of this vulnerability requires tricking a user into visiting a specially crafted HTML page. No further user interaction is needed beyond visiting the malicious webpage. - The flaw affects not only Google Chrome but all browsers built on the Chromium engine, including Microsoft Edge, Brave, and Opera. - While the exploit allows for arbitrary code execution within the browser's sandbox, attackers might chain it with other vulnerabilities to escape the sandbox and compromise the entire system. - Google has intentionally limited the amount of technical detail released about the exploit to prevent its further use by malicious actors. - The patched versions of Chrome are 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux.
