Google Patching the First Chrome Zero?Day Exploited in Attacks This Year (CVE?2026?2441)

Overview

On February 16, 2026, Google released emergency updates to address CVE?2026?2441, the first actively exploited Chrome zero?day vulnerability discovered this year.
This high?severity flaw is a use?after?free vulnerability in the CSS component (CSSFontFeatureValuesMap), allowing attackers to execute arbitrary code inside Chrome’s sandbox by tricking users into opening a malicious webpage.

Google confirmed that “an exploit for CVE?2026?2441 exists in the wild,” though details on specific attack campaigns remain restricted until most users update.
Updated Chrome versions rolled out include 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux, with similar patches expected across all Chromium?based browsers such as Edge, Opera, Brave, and Vivaldi.

This marks the first Chrome zero?day patch of 2026, following eight zero?days patched in 2025.

Who It Impacts

This advisory affects organizations and individuals using:

Google Chrome browsers on Windows, macOS, and Linux
Chromium-based browsers, including:

Microsoft Edge
Brave
Vivaldi
Opera

Enterprises with unmanaged or outdated desktop browsers
Users exposed to malicious or compromised websites
Systems dependent on browser-based enterprise applications

Unpatched Chrome instances are vulnerable to remote code execution via crafted HTML pages.

How It Impacts

If exploited successfully, this vulnerability can allow attackers to:

Execute arbitrary code within Chrome’s sandbox using malicious webpages
Trigger browser crashes, rendering issues, and memory corruption
Possibly chain attacks with additional vulnerabilities to escape the sandbox
Steal sensitive browser data or hijack user sessions
Launch drive?by attacks where visiting a single webpage compromises the browser

Google has restricted technical details temporarily to prevent further exploit development.

CVE Details

The actively exploited zero?day is:

CVE?2026?2441 – Google Chrome CSS Use?After?Free Vulnerability

Severity: High (CVSS 8.8)
Impact: Remote code execution inside Chrome’s sandbox via malicious HTML content
Affected: Chrome versions prior to 145.0.7632.75/76 (Win/Mac) and 144.0.7559.75 (Linux)
Discovered by: Security researcher Shaheen Fazim
Fix: Emergency patch deployed across stable channels

NOTE: More details are available in official vendor documentation and linked references.

Recommendations

Immediate Actions:

Update Chrome immediately to versions 145.0.7632.75/76 (Windows/Mac) or 144.0.7559.75 (Linux).
Restart the browser to ensure patches are applied.
Push updates via enterprise management tools for large environments.
Update all Chromium-based browsers once patches become available.

Security Best Practices:

Enforce automatic browser updating across managed systems.
Limit browser extension installations to trusted sources.
Disable unnecessary browser plugins and legacy components.
Ensure endpoint protection solutions monitor browser exploitation behaviors.

Monitoring:

Watch for unusual browser crashes or rendering issues.
Monitor outbound connections from browsers to suspicious domains.
Review logs for unexpected downloads or session hijacking patterns.
Track Chrome version compliance across the fleet.

Reference Links:

https://www.bleepingcomputer.com/news/security/google-patches-first-chrome-zero-day-exploited-in-at…
https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html
https://www.securityweek.com/google-patches-first-actively-exploited-chrome-zero-day-of-2026/
https://cybernews.com/security/chrome-browsers-google-emergency-patch-zero-day/
https://www.malwarebytes.com/blog/news/2026/02/update-chrome-now-zero-day-bug-allows-code-execution…
https://cyberpress.org/google-chrome-zero-day-flaw/ [bleepingcomputer.com] [thehackernews.com] [securityweek.com] [cybernews.com] [malwarebytes.com] [cyberpress.org]