Google released an emergency Chrome update on Friday to patch a zero-day vulnerability that has been exploited in the wild.
Chrome 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux fix CVE-2026-2441, described as a high-severity use-after-free vulnerability in the browser’s CSS component.
“Google is aware that an exploit for CVE-2026-2441 exists in the wild,” Google said in its advisory.
Google has credited researcher Shaheen Fazim for reporting the vulnerability. The actively exploited flaw was disclosed to the vendor on February 11, only two days before it was patched.
Fazim was credited by Google last year for responsibly disclosing several high-severity Chrome vulnerabilities.
A bug bounty reward for CVE-2026-2441 has not yet been determined. Some of his previous reports earned the researcher $7,000 and $8,000.
There appears to be no public information about attacks exploiting CVE-2026-2441. However, based on the little information shared by Google the vulnerability can likely be exploited for arbitrary code execution by getting the targeted user to visit a malicious website.
However, the code would be executed within a sandbox, and an additional vulnerability is likely needed to escape the sandbox and achieve complete system takeover.
Nevertheless, the vulnerability could be useful for stealing data from the browser, hijacking sessions, and conducting further attacks.
Several Chrome zero-days were patched in 2025. Google’s own zero-day tracker lists six flaws, while CISA’s KEV catalog includes seven.
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Related: Chrome 145 Patches 11 Vulnerabilities
Related: Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw
