What is Google Chrome / Chromium?
Google Chrome is the world's most widely used web browser, with a market share exceeding 65%. It is built on the open-source Chromium project, which is also the foundation for Microsoft Edge, Opera, Brave, and dozens of other browsers. Chrome's multi-process architecture separates rendering (the renderer process) from the browser core and OS. A use-after-free vulnerability in the renderer can allow an attacker to execute arbitrary code within the renderer sandbox — a highly valuable primitive that can be combined with a sandbox escape to achieve full OS-level code execution.
Overview
CVE-2026-2441 is a use-after-free vulnerability (CWE-416) in Chrome's CSS processing subsystem. When Chrome's renderer accesses a CSS object after it has been freed, an attacker can craft a malicious HTML page that triggers the freed memory access, enabling arbitrary code execution within the renderer. A remote attacker needs only to deliver a crafted web page — visiting it is sufficient to trigger exploitation. Google confirmed an exploit existed in the wild, making this the first Chrome zero-day of 2026. CISA added it to the KEV catalog four days after the patch release.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome (Windows / macOS) | Prior to 145.0.7632.75 | Chrome 145.0.7632.75 / 145.0.7632.76 |
| Google Chrome (Linux) | Prior to 144.0.7559.75 | Chrome 144.0.7559.75 |
| Microsoft Edge (Chromium-based) | Corresponding versions before fix | Updated via separate Microsoft patch |
| Other Chromium-based browsers | Corresponding vulnerable versions | Vendor-specific updates |
Technical Details
The vulnerability (CWE-416: Use After Free) is in Chrome's CSS processing engine within the renderer process. A use-after-free occurs when a program continues to use a pointer to memory that has already been freed and potentially reallocated. In the CSS subsystem, a lifecycle management error causes an object to be freed while a reference to it is retained; subsequent access through that retained reference reads memory that may now contain attacker-controlled data.
Successful exploitation of a renderer use-after-free in Chrome achieves arbitrary code execution within the renderer sandbox. The renderer process handles JavaScript and CSS and is intentionally isolated from the OS and browser core. A renderer exploit is a necessary first step in a two-stage browser attack: stage one (this CVE) achieves code execution in the renderer; stage two requires a separate sandbox escape vulnerability to reach the OS. Whether this vulnerability was chained with a sandbox escape in the observed exploitation is not publicly confirmed.
The attack vector is purely web-based: a user visiting a crafted page with Chrome (or another Chromium-based browser) can be exploited without any download, plugin, or additional user interaction.
Discovery
Reported by Shaheen Fazim on 11 February 2026. The patch was released two days later.
Exploitation Context
Google confirmed "an exploit for CVE-2026-2441 exists in the wild" in the Chrome release notes — standard language Google uses when a zero-day has been confirmed exploited before the patch. This was the first Chrome zero-day of 2026. Google did not disclose attribution, campaign details, or whether this was targeted or widespread exploitation. CISA added it to the KEV catalog four days after the patch was released. The vulnerability also affects all other Chromium-based browsers (Microsoft Edge, Opera, Brave, etc.) on affected versions, significantly broadening the attack surface.
Remediation
- Update Chrome immediately to version 145.0.7632.75 or later (Windows/macOS) or 144.0.7559.75 or later (Linux). Check via Chrome menu → Help → About Google Chrome.
- Enable automatic updates in Chrome (enabled by default) — verify Chrome is set to update automatically and restart it periodically to apply updates.
- Update all Chromium-based browsers: Microsoft Edge, Opera, Brave, and others received or will receive their own updates based on the same upstream Chromium fix — apply those updates as well.
- Consider using Chrome's Enhanced Protection mode in Safe Browsing (Settings → Privacy and Security → Security → Enhanced protection) to receive faster protection against novel threats.
- For enterprise deployments: use Google's Chrome Enterprise management to push updates centrally and verify version compliance across all managed devices.
- Monitor for browser crashes or unusual network connections from Chrome processes, which may indicate active exploitation attempts.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-2441 |
| Vendor / Product | Google — Chromium |
| NVD Published | 2026-02-13 |
| NVD Last Modified | 2026-02-23 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2026-02-17 |
| CISA KEV Deadline | 2026-03-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-02-11 | Vulnerability reported by Shaheen Fazim |
| 2026-02-13 | Google releases Chrome 145.0.7632.75/76 (Windows/macOS) fixing the zero-day |
| 2026-02-17 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-02-23 | NVD last modified |
| 2026-03-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome Stable Channel Update — 13 February 2026 | Vendor Advisory |
| NVD — CVE-2026-2441 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| New Chrome Zero-Day CVE-2026-2441 Under Active Exploitation | News |
| Google Patches Chrome Vulnerability with In-the-Wild Exploit | News |
| Malwarebytes — Update Chrome Now: Zero-Day Bug CVE-2026-2441 | Security Research |