Google Patches Active Chrome Zero-Day

- The vulnerability was discovered by security researcher Shaheen Fazim on February 11, 2026, and reported to Google. - The technical root cause is an iterator invalidation bug within the CSS engine's `CSSFontFeatureValuesMap`, which processes CSS font feature values. An attacker can trigger the "use after free" condition by getting a user to visit a specially crafted HTML page. - With a CVSS severity score of 8.8, the exploit allows for arbitrary code execution *inside* the browser's sandbox. While this provides a critical foothold, an attacker would typically need to chain it with a separate sandbox-escape vulnerability to achieve full system compromise. - This is the first actively exploited Chrome zero-day vulnerability patched in 2026, following eight such zero-days that Google addressed in 2025. - The fix is rolling out in Chrome versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. Other browsers built on the Chromium engine, including Microsoft Edge, Brave, Opera, and Vivaldi, are also affected and require updates. - "Use after free" remains a persistent and dangerous class of bug in software written in memory-unsafe languages like C++. It occurs when a program deallocates a block of memory but fails to clear the pointer to it, allowing a potential attacker to write malicious code into that now-unallocated memory and later execute it. - While this vulnerability was found by an external researcher, Google's own security teams like Project Zero are increasingly using AI agents to proactively find complex vulnerabilities, highlighting a trend toward automated and AI-driven security research.