Google has released an emergency update for its Chrome browser to address CVE-2026-2441, a high-severity zero-day vulnerability the company confirmed is being exploited in the wild.
In a security advisory published Feb. 13, 2026, Google said it was “aware that an exploit for CVE-2026-2441 exists in the wild.” The flaw carries a CVSS score of 8.8 and affects Chrome’s Cascading Style Sheets (CSS) component.
The vulnerability is a use-after-free memory bug affecting CSSFontFeatureValuesMap, the module that Chrome uses to implement CSS font feature values.
Use-after-free flaws are caused by programs continuing to use memory after being ‘freed’ (released back into the system for reuse). This behavior can cause issues related to data corruption, crashes, or arbitrary code execution.
Security researcher Shaheen Fazim reported the issue on Feb. 11, 2026. According to the vulnerability description, a remote attacker could exploit the flaw by luring a target to a malicious website, then potentially executing unauthorized code within Chrome’s sandbox. While sandboxing limits direct operating system access, attackers frequently chain browser flaws with additional vulnerabilities to escape containment.
Google has restricted detailed technical information about the bug until most users have applied the patch, citing the risk of further exploitation.
The fix is available in Chrome 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. The patch was backported into the stable channel rather than waiting for a future major release.
Google noted that the update addresses the “immediate problem,” with additional related work still being tracked internally. The company has not disclosed information about threat actors, victim profiles, or the scale of attacks.
CVE-2026-2441 is the first actively exploited Chrome zero-day patched in 2026. In 2025, Google addressed eight in-the-wild Chrome zero-days, reinforcing the need for rapid patch management and automated browser update enforcement across endpoints.
