Google has released emergency security updates to fix the first actively exploited Chrome zero-day vulnerability of 2026, tracked as CVE-2026-2441.
The high-severity flaw affects the browser’s CSS component and has been described as a use-after-free vulnerability, which can potentially lead to arbitrary code execution.
Affected Chrome Versions
The vulnerability has been patched in the following versions of Google Chrome:
- Chrome 145.0.7632.75/76
- Chrome 144.0.7559.75
Users are strongly advised to update their browsers immediately to protect against possible exploitation.
Exploit Confirmed in the Wild
In its security advisory, Google confirmed: “Google is aware that an exploit for CVE-2026-2441 exists in the wild.”
The vulnerability was reported on February 11 and patched just two days later — highlighting a rapid response cycle from Google’s security team.
Security researcher Shaheen Fazim has been credited for responsibly disclosing the flaw. He has previously reported multiple high-severity Chrome vulnerabilities and received bug bounty rewards ranging between $7,000 and $8,000.
A reward amount for CVE-2026-2441 has not yet been announced.
Technical Details: What Is a Use-After-Free Vulnerability?
A use-after-free vulnerability occurs when a program continues to use memory after it has been released. Attackers can exploit this flaw to:
- Corrupt memory
- Execute arbitrary code
- Hijack browser sessions
- Steal sensitive data
In this case, exploitation likely requires a victim to visit a malicious website crafted to trigger the vulnerability.
Sandbox Mitigation and Risk Level
Chrome runs web content inside a security sandbox designed to limit system-level damage. While CVE-2026-2441 could enable arbitrary code execution within the sandbox, attackers would likely require an additional vulnerability to escape it and gain full system control.
However, even sandbox-level exploitation can allow attackers to:
- Access browser-stored information
- Capture authentication tokens
- Perform session hijacking
- Stage follow-up attacks
Chrome Zero-Days: A Continuing Trend
Zero-day vulnerabilities remain a persistent threat. In 2025, multiple Chrome zero-days were publicly tracked.
According to Google’s internal zero-day tracker, six Chrome zero-day vulnerabilities were identified last year. Meanwhile, Cybersecurity and Infrastructure Security Agency (CISA) included seven Chrome flaws in its Known Exploited Vulnerabilities (KEV) catalog.
The rapid patching of CVE-2026-2441 underscores the importance of immediate browser updates to minimize exposure.
