0-Day Season Begins: Chrome Patches First Actively Exploited Flaw of 2026 (CVE-2026-2441)

The "honeymoon" period for 2026 is officially over.

Google has pushed an emergency security update to the Stable channel to address CVE-2026-2441, a high-severity vulnerability that is already being weaponized in the wild.

While Google’s security advisories are famously brief to prevent script kiddies from reverse-engineering the patch too quickly, here is what we know about the bug that has security researchers and threat actors scrambling.

Technical Breakdown: The "Use-After-Free" in CSS

The flaw, tracked as CVE-2026-2441 with a CVSS score of 8.8, is a "Use-After-Free" (UAF) vulnerability located within Chrome’s CSS component, specifically the CSSFontFeatureValuesMap.

For the uninitiated: A UAF occurs when a program continues to use a pointer to a memory location after that memory has been marked as "free."

In the context of a browser renderer:

  • An attacker crafts a malicious HTML page with complex CSS font rules.
  • During the style recalculation process, the browser frees an object but fails to clear the reference to it.
  • The attacker then "sprays" the heap to occupy that freed memory with their own malicious payload.
  • When Chrome tries to access the "stale" pointer, it executes the attacker's code instead of the original font data.

Impact: Sandbox RCE

The primary threat here is Remote Code Execution (RCE).

By simply convincing a user to visit a compromised website or view a malicious advertisement (malvertising), an attacker can execute arbitrary code within the Chrome sandbox.

While the sandbox is designed to prevent a browser tab from accessing your actual filesystem or camera, RCE is the first (and most critical) step in a "kill chain."

Sophisticated actors often pair this with a second sandbox escape bug to gain full SYSTEM privileges on the host machine.

The Chromium Ripple Effect

As always with Chromium-based bugs, the "blast radius" extends far beyond just Google Chrome.

Users of the following browsers are potentially at risk until their respective vendors downstream the patch:

  • Microsoft Edge
  • Brave
  • Opera
  • Vivaldi

CISA (the Cybersecurity and Infrastructure Security Agency) has already added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch by early March.

Hacklido Analysis: Why CSS Again?

It is interesting to note that this isn't a V8 (JavaScript) or Mojo bug—the usual suspects.

Seeing a critical RCE in the CSS rendering engine highlights that even the "static" parts of web styling have become so complex (with font-face mappings and variable fonts) that they are now viable attack vectors.

The bug was reported on February 11, 2026, by researcher Shaheen Fazim.

The speed at which Google moved from report to "in-the-wild" confirmation suggests this wasn't just a theoretical PoC; it was likely caught during active threat hunting.

Remediation: Check Your Version

If you haven't restarted your browser in a few days, you are likely still vulnerable.

Ensure your build matches or exceeds these versions:

  • Windows/macOS: 145.0.7632.75/76
  • Linux: 144.0.7559.75

Pro Tip for Hacklido Readers: You can force the update by navigating to chrome://settings/help. If it asks you to Relaunch, do it immediately.