Google Chrome Zero‑Day Vulnerability (CVE‑2026‑2441) – Emergency Security Update Released

Google has rolled out an urgent security update for Chrome to address a newly discovered zero‑day vulnerability (CVE‑2026‑2441) that attackers are already exploiting in the wild. This marks the first actively exploited Chrome security flaw patched in 2026.

What Is CVE‑2026‑2441?

• The flaw is a use‑after‑free vulnerability caused by an iterator invalidation bug in Chrome’s CSSFontFeatureValuesMap component.
• Discovered by security researcher Shaheen Fazim, the bug can lead to browser crashes, rendering errors, data corruption, or other unpredictable behavior.
• Because attackers are actively leveraging this weakness, Google classified it as high‑severity.

Google’s Response

• Emergency Patch Released: The fix has been deployed in Chrome versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux.
• Cherry‑Picked Fix: The patch was backported directly into stable releases, highlighting its urgency.
• Ongoing Work: Google noted that while the immediate issue is resolved, related problems are still being tracked under bug 483936078.
• Restricted Details: To protect users, Google is withholding exploit specifics until most systems are updated.

Why This Matters

• This is the first Chrome zero‑day of 2026, following a year in which Google patched eight zero‑days in 2025, many linked to spyware campaigns targeting high‑risk individuals.
• Zero‑day vulnerabilities are especially dangerous because attackers exploit them before patches are widely available.

How to Stay Protected

• Update Chrome Immediately: Navigate to Settings → Help → About Google Chrome to trigger the update.
• Restart Your Browser: Updates only take effect after relaunch.
• Enable Auto‑Updates: Allow Chrome to handle future patches automatically.