Critical Chrome Security Flaw CVE-2026-2441 Under Active Attack

Google has released an urgent security update for its Chrome web browser after confirming that a dangerous zero-day vulnerability is being actively exploited by attackers in the wild. The flaw, tracked as CVE-2026-2441, allows remote attackers to execute malicious code through specially crafted web pages, putting millions of users at risk.

This security issue has been rated high severity, with a CVSS score of 8.8, and it affects older versions of the Chrome browser across multiple operating systems. Google strongly recommends that all users update their browsers immediately to stay protected.

CVE-2026-2441 is classified as a use-after-free vulnerability found in Chrome’s CSS (Cascading Style Sheets) engine. In simple terms, this type of bug happens when the browser continues to use memory that has already been freed. Attackers can take advantage of this mistake to manipulate memory and run harmful code.

The vulnerability was discovered and responsibly reported on February 11, 2026, by security researcher Shaheen Fazim.

According to the National Institute of Standards and Technology (NIST) vulnerability database, the flaw allows attackers to execute arbitrary code inside Chrome’s sandbox by luring users to a malicious HTML page. While sandboxing limits damage, skilled attackers can still use such access as a stepping stone for more advanced attacks.

What makes CVE-2026-2441 especially serious is that it is a zero-day vulnerability, meaning attackers were exploiting it before a patch was available.

Google confirmed that an exploit for this vulnerability exists in the wild, although it has not shared details about:

• Who is behind the attacks

• Which users or organizations are being targeted

• How widespread the exploitation is

This lack of detail is common in active zero-day cases, as releasing too much information could help attackers.

This is the first actively exploited Chrome zero-day vulnerability patched in 2026. In comparison, Google fixed eight Chrome zero-days in 2025, showing that modern browsers continue to be a top target for cybercriminals.

Web browsers like Google Chrome are installed on billions of devices worldwide. They handle sensitive data such as passwords, payment details, and personal messages. Because users trust their browsers, attackers often focus on browser flaws to gain access without raising suspicion.

Simply visiting a compromised or malicious website can be enough to trigger an attack when a zero-day vulnerability is involved. This makes fast patching critical for both individuals and organizations.

Google has released patched versions of Chrome to fix CVE-2026-2441. Users should update to the following versions immediately:

• Windows & macOS: 145.0.7632.75 or 145.0.7632.76

• Linux: 144.0.7559.75

To make sure your browser is fully updated:

1. Open Chrome

2. Click the three-dot menu (More)

3. Go to Help > About Google Chrome

4. Chrome will automatically check for updates

5. Click Relaunch to apply the update

Delaying a restart may leave your system exposed even after the update downloads.