On February 13, 2026, Google shipped an emergency update for Google Chrome that fixes CVE-2026-2441, the year’s first Chrome zero-day being exploited in the wild. It is a use-after-free vulnerability in the browser’s CSS component, specifically in the CSSFontFeatureValuesMap structure that handles font feature values during font rendering.
What the vulnerability is
A use-after-free (CWE-416) is a memory-management error where a program keeps using a pointer to a memory region that has already been freed. The root cause here is an iterator invalidation bug. Chrome loops over a set of font feature values while modifying that same set at the same time. The loop iterator then ends up pointing to stale data (memory that’s already been freed), which corrupts the process’s memory.
From that corruption, a remote attacker can reach arbitrary code execution inside Chrome’s sandbox through a crafted HTML page. The nasty part is that the attack needs no clicks and no extra user interaction. Just visiting a malicious web page sets it off.
Who is affected
The flaw hits Google Chrome on every desktop platform: Windows, macOS and Linux. Since it sits in the Blink rendering engine, it can also affect Chromium-based browsers (Microsoft Edge, Brave, Opera or Vivaldi) until each project picks up the upstream fix. On Linux that covers both the official Chrome package and the Chromium builds shipped by each distribution.
Severity
Google and the NVD rate the flaw as high severity, with a CVSS score of 8.8. Two things push it above an ordinary use-after-free:
- Confirmed exploitation in the wild. Google acknowledged that a working exploit is in active use, which makes CVE-2026-2441 a live zero-day rather than a purely theoretical issue.
- Trivial attack vector. Because it fires on page load alone, it’s a prime candidate for drive-by download campaigns and watering-hole attacks.
Security researcher Shaheen Fazim reported the bug on February 11, 2026, and Google issued the patch just two days later, which tells you how urgent it was. Public proof-of-concept code has also surfaced, lowering the bar for other attackers.
Mitigation and patch
The only effective mitigation is to update the browser right away. The fixed versions are:
- Chrome 145.0.7632.75/76 for Windows and macOS.
- Chrome 144.0.7559.75 for Linux.
To force the update, open the Chrome menu → Help → About Google Chrome (or go to chrome://settings/help); the browser will check for and install the available version. You then need to relaunch Chrome for the patch to take effect. On Linux, also run the package update through your distribution’s package manager (apt, dnf, etc.) and restart any open instances. If you run a Chromium-based browser, watch for the patched release from your vendor and apply it as soon as it lands.
Source
- NVD – CVE-2026-2441: https://nvd.nist.gov/vuln/detail/CVE-2026-2441