Google has released an urgent security update for Chrome after a high-severity zero-day vulnerability was actively exploited in the wild. The vulnerability is tracked as CVE-2026-2441 and is a use-after-free bug in Chrome’s CSS handling. It was reported by independent researcher Shaheen Fazim on February 11, 2026, just five days before the patch.
The vulnerability allows attackers to execute arbitrary code by exploiting memory corruption. Systems running Chrome versions before the patch are at risk. Attackers have already weaponized this bug, likely combining it with other techniques to escape the browser sandbox and gain higher privileges on Windows, macOS, and Linux devices.
Google released the patch as part of its latest Stable channel update and is urging users to update immediately. Details of the vulnerability have been limited until most users apply the patch, following Google’s policy for actively exploited flaws.
The patched versions are:
- Windows: 145.0.7632.75 / 145.0.7632.76
- macOS: 145.0.7632.75 / 145.0.7632.76
- Linux: 144.0.7559.75
Users can update Chrome via its built-in updater. For organizations, it is important to prioritize patching, monitor for unusual network activity, and follow advisories from security agencies like CISA.
This incident highlights ongoing challenges in browser security, particularly in CSS rendering, as browser-based attacks become more sophisticated. While specific indicators of compromise are not yet public, phishing and compromised websites remain likely attack vectors. Security teams should keep track of Chrome’s release notes and Chromium’s security page for updates.
