Google patches first Chrome zero-day exploited in attacks this year
Source: Bleeping Computer
Google has released emergency updates to fix a high‑severity Chrome vulnerability exploited in zero‑day attacks, marking the first such security flaw patched since the start of the year.
Google confirmed that an exploit for CVE‑2026‑2441 is active in the wild in a security advisory issued on Friday.
Vulnerability details
- Type: Use‑after‑free
- Root cause: Iterator invalidation bug in
CSSFontFeatureValuesMap, Chrome’s implementation of CSS font feature values. - Reporter: Security researcher Shaheen Fazim.
- Potential impact: Browser crashes, rendering issues, data corruption, or other undefined behavior.
The commit message notes that the CVE‑2026‑2441 patch addresses “the immediate problem” but that additional work remains, tracked in bug 483936078. The fix was cherry‑picked across multiple commits, indicating its urgency for a stable release rather than waiting for the next major version.
Google observed evidence of attackers exploiting this zero‑day in the wild but did not disclose further details.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third‑party library that other projects similarly depend on, but haven’t yet fixed,” the advisory noted.
Patch release
The vulnerability has been fixed for users in the Stable Desktop channel. New versions are rolling out to:
- Windows & macOS: 145.0.7632.75/76
- Linux: 144.0.7559.75
Updates will be delivered worldwide over the coming days or weeks. Users can let Chrome check for updates automatically and install them after the next launch.
Historical context
While this is the first actively exploited Chrome security vulnerability patched in 2026, Google addressed a total of eight zero‑days abused in the wild in 2025, many reported by the company’s Threat Analysis Group (TAG), which tracks zero‑days exploited in spyware attacks targeting high‑risk individuals.