Chrome Zero-Day CVE-2026-2441 Exploited in Wild as Google Ships Emergency Patch

3 Min Read / February 16, 2026

Chrome Zero-Day CVE-2026-2441 Exploited in Wild as Google Ships Emergency Patch

Google shipped an emergency patch on February 13 to address a Chrome zero-day vulnerability that attackers have been exploiting in the wild. CVE-2026-2441, assigned a CVSS score of 8.8, is a use-after-free flaw in Chrome’s CSS component that allows remote code execution inside the browser sandbox via a malicious webpage.

The Hacker News reported that security researcher Shaheen Fazim discovered and reported the flaw on February 11, two days before Google’s patch. BleepingComputer’s analysis of the Chromium commit history shows the vulnerability stems from “an iterator invalidation bug in CSSFontFeatureValuesMap” — Chrome’s implementation of CSS font feature values.

Google confirmed in its advisory that “an exploit for CVE-2026-2441 exists in the wild” but provided no details about who is behind the attacks or which targets were affected. That silence is standard during active investigations and helps prevent additional weaponisation.

The Flaw Requires Only a Webpage Visit

The National Vulnerability Database description makes clear the attack vector: “Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.” No authentication is required. An attacker needs only to convince a user to visit a malicious website.

While Chrome’s sandbox limits the immediate damage — code executes in a restricted environment rather than with full system access — SOC Prime analysts note that “a successful exploit can turn normal browsing into an entry point for malware delivery, credential theft through session hijacking or token access, and follow-on compromise.” If attackers combine this flaw with a sandbox escape, the consequences become far more severe.

BleepingComputer’s technical analysis suggests the patch may be temporary. The commit message notes the fix addresses “the immediate problem” but indicates there’s “remaining work” tracked in bug 483936078, suggesting related issues need attention.

This Is 2026’s First Exploited Chrome Zero-Day

CVE-2026-2441 marks the first actively exploited Chrome zero-day that Google has patched this year. In 2025, the company addressed eight zero-days in Chrome that were either exploited in attacks or demonstrated as proof-of-concept, according to The Hacker News. Many of those were identified by Google’s Threat Analysis Group, which tracks zero-days used in spyware campaigns targeting high-risk individuals.

The pattern suggests organised threat actors, not opportunistic criminals, were behind the initial exploitation. SecurityWeek notes that “there appears to be no public information about attacks exploiting CVE-2026-2441” — a signal that the exploitation was targeted rather than widespread.

Patch Now, Restart Later Won’t Work

The fixed versions are Chrome 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. Google’s rollout is staged over several days, so not all users will receive the update simultaneously.

Critical detail: downloading the update is not enough. SOC Prime emphasises that systems that “downloaded the update but have not restarted Chrome, can remain exposed.” The browser must be restarted for the patch to take effect.

Check your Chrome version via Settings > About Chrome. If you see a “Relaunch” button after the update downloads, click it immediately. Organisations that defer browser restarts to avoid disrupting user sessions are carrying unnecessary risk.

The vulnerability also affects Chromium-based browsers. NotebookCheck confirmed that Opera updated to version 127.0.5778.64 and Vivaldi to 7.8 (Chromium 144.0.7559.175) to address the same flaw.