Google Chrome CSS Use-After-Free Zero-Day Vulnerability (CVE-2026-2441)

Summary

CVE-2026-2441 represents a critical use-after-free vulnerability (CWE-416) in the CSS rendering engine of Google Chrome and Chromium-based browsers, putting millions of users at risk of silent compromise through drive-by attacks requiring nothing more than visiting a malicious or compromised webpage. The memory corruption flaw stems from faulty memory management in the browser’s CSS font feature value processing logic, where an object is deallocated but remains accessible through a dangling pointer, creating conditions that attackers can exploit to manipulate application memory, hijack browser behavior, and execute arbitrary code with minimal user interaction. Google has confirmed active in-the-wild exploitation of this zero-day vulnerability, underscoring the urgent need for immediate browser updates across all platforms.

Use-after-free vulnerabilities occur when software continues to reference memory after it has been freed and potentially reallocated for other purposes. In CVE-2026-2441, this condition exists within the Chromium rendering engine’s CSS processing pipeline, specifically in how CSS font feature values are handled during page rendering. When a CSS object is properly freed from memory but the browser maintains a stale pointer to that memory location, subsequent operations using that pointer can access or manipulate whatever data now occupies that memory space. Attackers can carefully craft malicious CSS content to control the state of freed memory, allowing them to influence application behavior, corrupt critical data structures, redirect execution flow, and ultimately achieve arbitrary code execution within the browser’s security context.

Exploitation typically occurs through drive-by attacks delivered via specially crafted webpages. Victims need only visit a malicious website, click a phishing link redirecting to attacker-controlled infrastructure, or view compromised legitimate websites serving malicious advertisements for the exploit to trigger automatically. Once the malicious page loads in the vulnerable browser, the CSS rendering pipeline processes the crafted content, activating the use-after-free condition and enabling attackers to execute code within the browser environment. Critically, no additional user interaction beyond opening the webpage is required, making this vulnerability particularly dangerous for both targeted attacks and mass exploitation campaigns. The exploit can be delivered through phishing emails containing malicious links, compromised websites serving as watering holes for specific target populations, or malicious advertising networks distributing exploit code to broad audiences.

The vulnerability affects all Chrome versions prior to the patched releases across Windows, macOS, and Linux platforms. Specifically, versions before 145.0.7632.75 on Windows and macOS, and versions before 144.0.7559.75 on Linux are vulnerable. Organizations using Chrome’s Extended Stable channel must update to version 144.0.7559.177 or later. Additionally, the flaw originates in the open-source Chromium engine, meaning other Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi are also affected until their respective vendors integrate the upstream Chromium fix and release vendor-specific updates. Each browser vendor operates on its own release cycle, so patching timelines vary across the ecosystem.

Google’s confirmation of active exploitation indicates that sophisticated threat actors have already weaponized this vulnerability and are using it in real-world attack campaigns. The combination of confirmed exploitation, public awareness following disclosure, minimal exploitation complexity, and the ubiquity of Chrome and Chromium-based browsers creates an extremely high-risk situation requiring immediate remediation. Use-after-free vulnerabilities have repeatedly proven to be reliable exploitation vectors in modern browser engines, and CVE-2026-2441 represents the latest example of this persistent class of memory safety issues affecting performance-critical rendering operations.

Vulnerability Details (Condensed)

Vulnerability Class: Use-after-free (CWE-416) in Chromium CSS rendering engine

Root Cause: Faulty memory management in CSS font feature value processing; freed object still referenced through dangling pointer

Exploitation Method: Drive-by attacks via malicious webpages; requires only visiting attacker-controlled or compromised site; no additional user interaction needed

Affected Versions:

• Chrome < 145.0.7632.75 (Windows/macOS)
• Chrome < 144.0.7559.75 (Linux)
• Chrome Extended Stable < 144.0.7559.177
• Chromium-based browsers (Edge, Brave, Opera, Vivaldi) until vendor-specific patches released

Exploitation Confirmed: Google confirms active in-the-wild exploitation; sophisticated threat actors already weaponizing vulnerability

Attack Vectors: Phishing links, compromised legitimate websites, malicious advertising, watering hole attacks

Chromium Ecosystem Impact: Flaw originates in open-source Chromium engine affecting all downstream browsers

Recommendations

1. Update Chrome Immediately – Windows/macOS: v145.0.7632.75+; Linux: v144.0.7559.75+; Extended Stable: v144.0.7559.177+; Critical: Must restart browser after update
2. Prioritize High-Risk Endpoints – Expedite patching for executives, finance teams, IT administrators, SOC analysts, privileged users (frequent phishing/watering hole targets)
3. Update All Chromium-Based Browsers – Monitor vendor advisories for Edge, Brave, Opera, Vivaldi; each has separate release cycles; do not assume simultaneous patching with Chrome
4. Vulnerability Management & Continuous Assessment – Maintain current browser version inventory; implement automated patch compliance reporting; assess Electron-based applications embedding Chromium engine

MITRE ATT&CK TTPs

Initial Access: T1189 (Drive-by Compromise) | Execution: T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter) | Resource Development: T1588.006 (Obtain Capabilities: Vulnerabilities)