Chrome’s First 2026 Zero-Day: Update Now!
Google Patches Chrome’s First Zero-Day of 2026 … Here’s What You Need to Know
TL;DR: Google has released an emergency fix for CVE-2026-2441, a high-severity use-after-free vulnerability in Chrome’s CSS engine that attackers are already exploiting in the wild. The flaw (CVSS 8.8) allows remote code execution inside the browser sandbox via a malicious webpage. Update Chrome immediately to version 145.0.7632.75 (Windows/Mac) or 144.0.7559.75 (Linux).
What Happened
Google just quietly pushed an emergency Chrome update, and this one matters. Attackers have been caught actively exploiting CVE-2026-2441 … a use-after-free bug buried in Chrome’s CSS handling … before a fix was even ready. That makes it Chrome’s first confirmed zero-day of 2026.
Security researcher Shaheen Fazim reported the flaw on February 11. Two days later, Google confirmed it was already being exploited in the wild. That’s a tight window, and it tells you the severity is real … not theoretical.
Why This Matters
Here’s the short version: a specially crafted webpage is all it takes. Visit the wrong page, and an attacker can execute arbitrary code inside your browser’s sandbox. No extra interaction needed. No downloads. No popups. Just a malicious HTML page doing the work.
The vulnerability sits in how Chrome processes CSS … the language that styles every webpage you visit. A use-after-free bug means the browser accesses memory that’s already been freed, and attackers can hijack that to run their own code. Google assigned it a CVSS score of 8.8 out of 10 … firmly in “high severity” territory.
Google hasn’t said whether these attacks are targeted (think: state-sponsored espionage) or part of a broader campaign. They’re keeping details locked down until most users have patched, which is standard practice to prevent other attackers from reverse-engineering the exploit.
What You Need to Do Right Now
This one’s straightforward:
- Update Chrome immediately. Go to Settings > About Chrome, or navigate to chrome://settings/help. Chrome should auto-update, but don’t wait for it.
- Target versions: 145.0.7632.75 for Windows and Mac, 144.0.7559.75 for Linux.
- Restart your browser after updating. The patch doesn’t take effect until you do.
- If you manage endpoints for an organization, push this update through your patch management system now. Don’t let it ride on the next scheduled cycle.
The Bigger Picture
If this feels like deja vu, it should. Google spent most of 2025 playing whac-a-mole with actively exploited Chrome bugs … eight confirmed zero-days across the year. CVE-2026-2441 suggests 2026 is picking up right where 2025 left off.
And this patch lands in a rough week for Chrome’s security reputation. Just days ago, researchers revealed that 287 Chrome extensions were quietly siphoning users’ browsing histories to data brokers. That’s a separate issue, but it’s a reminder: browser security isn’t just about the browser itself. It’s about the entire ecosystem bolted onto it.
What Is a Use-After-Free Vulnerability?
For those earlier in their cybersecurity journey, here’s the quick breakdown. When software allocates a chunk of memory to do something … say, process a CSS style … it’s supposed to release (“free”) that memory when it’s done. A use-after-free bug happens when the software frees the memory but then tries to use it again. An attacker can slip their own data into that freed memory space, and when the program accesses it, it executes the attacker’s code instead of what it expected.
Think of it like returning a locker at a gym, but the system still thinks it’s yours. Someone else stuffs something malicious in that locker, and the next time you open it … surprise.
Use-after-free vulnerabilities are among the most common and dangerous classes of memory corruption bugs, and they’ve been a recurring theme in Chrome zero-days for years.
Key Takeaways
- CVE-2026-2441 is a high-severity use-after-free in Chrome’s CSS engine (CVSS 8.8)
- It’s being actively exploited in the wild … this isn’t theoretical
- A malicious webpage alone can trigger code execution in the browser sandbox
- Google has patched it in Chrome 145.0.7632.75 (Win/Mac) and 144.0.7559.75 (Linux)
- Update now. Restart your browser. Don’t wait for auto-update.
- If you manage fleet devices, push this patch through your MDM/endpoint management immediately
Source: The Register … Google patches Chrome zero-day as in-the-wild exploits surface (https://www.theregister.com/2026/02/16/chromes_zeroday/)