Google Patches First Chrome Zero-Day of 2026: CVE-2026-2441 Under Active Exploitation

Google has released an emergency update for Chrome to address CVE-2026-2441, a high-severity zero-day vulnerability that is being actively exploited in attacks. This is the first Chrome zero-day of 2026, and Google treated it with enough urgency to push a dedicated stable channel update rather than waiting for the next scheduled release cycle.

Technical Details of the Vulnerability

CVE-2026-2441 is a use-after-free vulnerability rooted in an iterator invalidation flaw within the CSSFontFeatureValuesMap implementation — the component responsible for managing CSS font feature values in Chrome's rendering engine. The flaw carries a CVSS score of 8.8.

A remote attacker can exploit the vulnerability by crafting a malicious HTML page that triggers the flaw, allowing arbitrary code execution inside the Chrome sandbox. When chained with additional exploits, the vulnerability can enable sandbox escapes, session hijacking, and data exfiltration from open browser tabs.

Affected Versions and the Fix

The vulnerability was discovered and reported by security researcher Shaheen Fazim on February 11, 2026. Google's patched versions are:

• Windows and macOS: Chrome 145.0.7632.75 / 145.0.7632.76
• Linux: Chrome 145.0.7632.75

Users on any version below these numbers remain at risk. Chrome typically updates automatically, but users should verify their version by navigating to Settings > Help > About Google Chrome and allowing any pending updates to complete.

What Users Should Do

Update Chrome immediately. Given that exploitation has been confirmed in the wild, this is not an update to defer. Organizations running managed Chrome deployments should prioritize pushing the update across endpoints without delay. The vulnerability affects Chrome on all major desktop platforms.