Google pushed an emergency Stable-channel update to fix a high-severity use-after-free bug in Chrome’s CSS handling that it says is already being exploited (CVE-2026-2441), requiring enterprises to prioritize patch validation and browser restarts to ensure the fix is applied.
The use-after-free bug is a memory corruption error where a program continues to use a pointer after the memory it points to has been cleared, allowing attackers to inject malicious data.
Google updated Chrome’s Stable channel to 145.0.7632.75/76 for Windows and macOS and 144.0.7559.75 for Linux, with rollout “over the coming days/weeks,” and said it is “aware that an exploit for CVE-2026-2441 exists in the wild.”
Technical Analysis: CVE-2026-2441
NIST’s National Vulnerability Database describes CVE-2026-2441 as a use-after-free in CSS affecting Chrome versions prior to 145.0.7632.75 and says it can allow arbitrary code execution “inside a sandbox” via a crafted HTML page.
Arbitrary code execution is a condition where an attacker can run any command or code of their choice on the target’s process, effectively hijacking the application.
The NVD record also shows a CVSS v3.1 base score of 8.8 (via CISA-ADP) and lists Google’s Chrome Releases advisory as a reference. A “High” severity rating on the Common Vulnerability Scoring System, indicating the flaw is easily exploitable over a network with significant impact.
Google credited security researcher Shaheen Fazim and dated the report to Feb. 11. Google did not identify the threat actor or targeting details, and noted it may keep bug links restricted until more users are updated.
What does it mean to be “inside a sandbox”?
Chromium’s security documentation describes sandbox escapes as a separate step attackers may need to reach broader system resources beyond a compromised renderer process.
However, the NVD description specifies the vulnerability allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Thus, this bug alone does not automatically imply full device takeover.
Patch integrity and follow-on risks
A Chromium commit tied to the fix says it ‘addresses the immediate problem’ of iterating while modifying CSSFontFeatureValuesMap and notes ‘remaining work’ tracked in a separate bug.
The CSSFontFeatureValuesMap is an interface used by the browser to map human-readable names to specific OpenType font features, such as stylistic alternates or ligatures.”
Enterprise deployment strategies
Because updates do not take effect until Chrome is restarted, admins can reduce exposure during the rollout window by validating deployed browser versions and using Chrome Enterprise policies that prompt or automatically relaunch the browser after updates where appropriate.
Who else is affected across Chromium browsers?
CVE-2026-2441 sits in Chromium’s codebase, so downstream browsers typically need to ingest the upstream fix. Chromium codebase is the open-source foundation developed by Google that powers not only Chrome but also Edge, Brave and Opera.
Brave’s release notes show it upgraded to Chromium 145.0.7632.76 on Feb. 14, which aligns with Google’s patched build line.
Microsoft’s Edge security release notes, last updated Feb. 3, include a Feb. 11 entry saying Microsoft is “aware of the recent Chromium security fixes” and is “actively working on releasing a security fix,” signaling a lag enterprises may need to account for in mixed-browser environments.