Google Patches Actively Exploited Chrome Zero-Day (CVE-2026-2441) Affecting CSS Engine

Google has released an urgent security update for its Chrome browser to address a high-severity zero-day vulnerability that is being actively exploited in the wild. The flaw, tracked as CVE-2026-2441, carries a CVSS score of 8.8 and has been identified as a use-after-free bug within the browser’s CSS engine.

The vulnerability was discovered and reported by security researcher Shaheen Fazim on February 11, 2026. Google confirmed that exploitation activity had already been observed before the patch was made publicly available.

While the company has not disclosed details about the attackers or targets involved, it acknowledged that an exploit for CVE-2026-2441 exists in the wild.

Technical Overview of CVE-2026-2441

According to the National Vulnerability Database, the flaw is a use-after-free vulnerability affecting the CSS component of Google Chrome prior to version 145.0.7632.75. Use-after-free bugs occur when memory that has been freed is accessed again, potentially enabling attackers to corrupt memory and execute arbitrary code.

In this case, a remote attacker could exploit the vulnerability by convincing a victim to visit a specially crafted HTML page. Successful exploitation would allow arbitrary code execution within Chrome’s sandbox environment.

Although sandboxing limits direct system-level access, it remains a critical foothold for attackers seeking to chain additional vulnerabilities and escalate privileges.

Browser Zero-Days Remain a Prime Target

Browser-based vulnerabilities continue to attract threat actors due to their ubiquity. Chrome, as the world’s most widely used browser, represents a high-value attack surface across enterprises, government networks, and personal devices.

Even highly sophisticated environments rely on web browsers as a core interface for business applications, cloud services, and communications. A single browser exploit can bypass traditional network defenses by leveraging user interaction.

The disclosure of CVE-2026-2441 marks the first actively exploited Chrome zero-day patched in 2026. In 2025, Google addressed eight zero-day vulnerabilities that were either actively exploited or demonstrated through proof-of-concept.

Patch Versions and Update Guidance

Google has released Chrome versions 145.0.7632.75 and 145.0.7632.76 for Windows and macOS, and version 144.0.7559.75 for Linux to address the issue.

Users can confirm their browser version by navigating to More > Help > About Google Chrome. Once the update is installed, a browser relaunch is required to complete the patch process.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are advised to monitor vendor advisories and apply corresponding updates as they become available.

Broader Zero-Day Landscape

The Chrome zero-day follows closely behind Apple’s recent disclosure of CVE-2026-20700, a vulnerability affecting multiple Apple platforms including iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS.

Apple described that flaw as part of an “extremely sophisticated attack” targeting specific individuals running older versions of iOS. Together, these incidents underscore the persistent targeting of consumer-facing software by advanced threat actors.

As web browsers continue to serve as the gateway to digital services, rapid patch deployment remains one of the most effective defenses against exploitation.

Organizations are encouraged to enforce centralized update policies and monitor endpoint compliance to reduce exposure windows.