Chrome's First Zero-Day of 2026 Was Exploited Before Google Could Patch It

What Happened

On February 14, Google released an emergency security update for Chrome to fix CVE-2026-2441, a high severity vulnerability that was already being exploited in the wild. It is the first actively exploited Chrome zero-day of 2026.

The flaw sits in Chrome's CSS processing engine. It is a use after free bug, a type of memory safety error where the browser continues to reference a piece of memory after it has been freed. An attacker who crafts a malicious HTML page can trigger this bug and execute arbitrary code inside Chrome's sandbox.

In practical terms: visiting the wrong webpage was enough.

How Use After Free Attacks Work

Every time Chrome renders a webpage, it allocates and frees blocks of memory to handle CSS styles, layout calculations, and rendering. A use after free bug occurs when Chrome frees a memory block but keeps a pointer to it. If an attacker can fill that freed memory with their own data before Chrome accesses it again, they can hijack the browser's execution flow.

The CVSS score for this vulnerability is 8.8 out of 10. While the attacker's code runs inside Chrome's sandbox (a security boundary that limits what the code can do), sandbox escapes are frequently chained with memory bugs like this one to achieve full system compromise.

Use after free vulnerabilities are consistently among the most dangerous browser bugs. Of the eight Chrome zero-days Google patched in 2025, the majority were memory safety issues in the same category.

The Timeline

Security researcher Shaheen Fazim discovered the vulnerability and reported it to Google on February 11. Google confirmed active exploitation and released patches on February 14, just three days later.

Google has not disclosed who was exploiting the flaw, how the attacks were carried out, or who was targeted. This is standard practice for actively exploited bugs. Google withholds details until a majority of users have updated, to avoid giving other attackers a roadmap.

What we do know is that someone was using this flaw against real targets before the patch existed.

Which Versions Are Affected

Any version of Chrome prior to the following is vulnerable:

• Windows and macOS: Chrome 145.0.7632.75 or 145.0.7632.76
• Linux: Chrome 144.0.7559.75

To update, open Chrome and navigate to More > Help > About Google Chrome. The browser will check for updates and prompt you to relaunch.

Other Chromium based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, share Chrome's rendering engine. Users of these browsers should apply updates as they become available from their respective vendors.

Why Browser Zero-Days Matter

Chrome has roughly 65% of the global browser market. A zero-day in Chrome is a zero-day in the most widely used application on Earth.

Browser zero-days are frequently used in targeted attacks against journalists, dissidents, and corporate executives. The commercial spyware industry, companies like NSO Group and Intellexa, regularly purchases browser exploits to deploy surveillance tools. A single Chrome zero-day can sell for over $1 million on the exploit market.

Google patched eight Chrome zero-days in 2025. The fact that 2026 started with an actively exploited bug in the CSS engine, one of the most fundamental components of any browser, underscores how persistent these threats are.

What You Should Do

Update Chrome immediately. This is not a theoretical vulnerability. It was being used against people before the patch shipped.

• Open Chrome, go to Help > About Google Chrome, and update
• Restart your browser after updating to apply the fix
• Enable automatic updates if you have not already
• Review your installed extensions since malicious extensions can amplify browser vulnerabilities
• Consider enabling Chrome's Enhanced Safe Browsing for real time protection against malicious pages

Browser vulnerabilities work silently. You would not know you visited a weaponized page until the damage was done. Keeping your browser updated is the single most impactful thing you can do to reduce your attack surface online.