Google recently patched a serious zero-day vulnerability in Chrome that could allow attackers to execute malicious code within the browser’s sandbox.
The vulnerability, tracked as CVE-2026-2441, was discovered and reported by security researcher Shaheen Fazim on February 11. Google quickly released the security fix two days later, on Friday. This vulnerability is a high-severity use-after-free bug, with a CVSS score of 8.8.
A use-after-free occurs when Chrome attempts to access memory that has already been freed or deleted. This process leaves empty memory space that allows attackers to manipulate it and execute malicious code.
This particular vulnerability targets the part of Chrome that deals with CSS, more precisely, the CSSFontFeatureValuesMap engine for handling advanced fonts. Hackers can create a sneaky web page, possibly featuring special fonts, that could trick the browser into running their malicious code. The worst part is that a potential exploit doesn’t require you to click or download anything. Simply loading an infected web page could trigger the attack and run malicious code in Chrome’s memory.
Google confirmed that the flaw is exploited "in the wild," which means that attackers are actively using it, though real-world cases weren"t explicitly mentioned. The good news is that Chrome’s built-in sandbox limits the potential damage to some extent. Unlike vulnerabilities inside native OS components, this one doesn’t directly allow attackers to easily gain control over the entire computer, but they could very well access users’ browsing data, spy on open tabs, or try further tricks to escape the sandbox.
Google released the patch for Chrome 145.0.7632.75/76 (Windows/macOS) and 144.0.7559.75 (Linux), with a gradual global rollout. Users are highly advised to update their browsers immediately. To update your Google Chrome version, go to Help > About Google Chrome and check for updates. Once the update appears, wait for Chrome to install it, relaunch the browser, and you should be in the clear.
You can check out the entire CVE-2026-2441 changelog on the National Vulnerability Database website.