Google Patches First Actively Exploited Chrome Zero-Day of 2026
Google patches CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome's CSS component that requires nothing more than visiting a malicious webpage to exploit, affecting over 3 billion Chrome users.
Google released an emergency update for Chrome on February 13, 2026, patching CVE-2026-2441, a high-severity use-after-free vulnerability actively exploited in the wild. It is the first actively exploited Chrome zero-day of 2026.
The Vulnerability
CVE-2026-2441 is a use-after-free flaw in CSSFontFeatureValuesMap, a component of Chrome's CSS implementation that handles font feature value processing. Use-after-free vulnerabilities occur when a program references memory after it has been freed, potentially allowing an attacker to control that memory location and redirect execution. The vulnerability carries a CVSS score of 8.8 (High severity) and was reported by security researcher Shaheen Fazim on February 11.
The attack vector is particularly concerning: exploitation requires only visiting a specially crafted webpage. No file download, no permission grant, no interaction beyond navigating to the URL. Drive-by exploitation via malicious ads, compromised legitimate sites, or phishing links are all viable delivery mechanisms.
Patch Details
Google shipped the fix in Chrome 145.0.7632.75/76 for Windows and macOS, and Chrome 144.0.7559.75 for Linux. Chrome's auto-update mechanism delivers patches silently, but the update requires a browser restart. Users who keep Chrome windows open indefinitely may remain on a vulnerable version despite the update being downloaded.
Downstream Chromium-based browsers — Opera, Vivaldi, and Microsoft Edge — share the affected CSS code and are also vulnerable. Their vendors ship patches based on the upstream Chromium fix on their own timelines.
Scale of Impact
With over 3 billion Chrome users worldwide, even a low exploitation success rate translates to a large number of potential victims. Use-after-free vulnerabilities in browser components are among the most reliable primitives for achieving remote code execution in the browser process. In modern browser security, achieving full system compromise typically requires chaining a renderer exploit with a sandbox escape — whether CVE-2026-2441 has been observed in such a chain has not been confirmed.
Users should verify their Chrome version via the Help menu and confirm they are running 145.0.7632.75 or later on Windows/macOS, or 144.0.7559.75 or later on Linux.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.