By Carly Page
Publication Date: 2026-02-16 12:39:00
Google has quietly pushed out an emergency Chrome fix after attackers were caught exploiting the browser’s first reported zero-day of 2026.
The flaw, tracked as CVE-2026-2441 and assigned a “high” CVSS score of 8.8, stems from a use-after-free bug in Chrome’s CSS handling that could allow a remote attacker to execute arbitrary code inside the browser’s sandbox using a specially crafted HTML page. In other words, a dodgy webpage could be all an attacker needs to get malicious code running inside a victim’s browser.
Unsurprisingly, Google has rushed out fixes for Chrome with version 145.0.7632.75 for Windows and Mac, and 144.0.7559.75 for Linux, which the Chocolate Factory says will “roll out in the coming days/weeks.”
Security researcher Shaheen Fazim reported the flaw on February 11, and Google acknowledged that attackers were already exploiting it just two days later – though it’s staying tight-lipped on…
