CVE-2026-2441: Chrome/Chromium CSS Use-After-Free Vulnerability (UAF)

Read more about cve-2026-2441 and the most important cybersecurity news to stay up to date with

What is CVE-2026-2441?

CVE-2026-2441 is a use-after-free (UAF) memory-safety bug in Chromium’s CSS handling that can be triggered by a crafted web page. In practical terms, a user can be exposed simply by visiting attacker-controlled content that exercises the vulnerable CSS code path. Public advisories indicate the outcome can be attacker-controlled code execution inside the browser’s sandboxed renderer, which is still a serious security boundary even if it is not immediate full-system compromise. Google’s Chrome release notes also state the company is aware of in-the-wild exploitation, while limiting some technical details until more users are updated.

 

What is Affected By CVE-2026-2441?

CVE-2026-2441 affects Google Chrome (Chromium-based) desktop builds that are older than the patched Stable versions for each platform. Google shipped fixes to Stable on February 13, 2026, with platform-specific versioning for Windows/macOS vs. Linux. The Chromium bug entry is tracked under issue 483569511, but access to details may be restricted during rollout.

Affected software typically includes:

  • Google Chrome for Windows/macOS: versions earlier than 145.0.7632.75/76

  • Google Chrome for Linux: versions earlier than 144.0.7559.75

  • Downstream Chromium builds (Linux distro “chromium” packages, BSD ports, and other Chromium-based browsers) if they are based on vulnerable Chromium code and have not yet absorbed the upstream fix

Mitigation and Remediation For CVE-2026-2441

The primary remediation is to update Chrome/Chromium to a fixed build and ensure the browser is relaunched so the patched code is actually in use. Because exploitation has been reported in the wild, this should be treated as an urgent, high-priority browser update for both consumers and enterprises. NVD also reflects that this CVE is tracked in CISA’s Known Exploited Vulnerabilities workflow, reinforcing the need for timely remediation.

Recommended actions:

  • Update Chrome immediately to the latest Stable available for your OS (Windows/macOS: 145.0.7632.75/76; Linux: 144.0.7559.75)

  • Relaunch Chrome after updating (enterprise rollouts often fail here—patched files may exist on disk but not be loaded until restart).

  • Enterprise controls: enforce auto-update policies, verify fleet compliance (device/browser inventory), and prioritize any endpoints used for privileged access (admin consoles, cloud portals).

  • Compensating controls (temporary): reduce exposure to untrusted browsing (e.g., isolate web access for high-risk roles) until patch saturation is confirmed across your environment.

Impact of Successful Exploitation of CVE-2026-2441

Successful exploitation can enable attacker-controlled code execution within Chrome’s sandboxed renderer process. While the sandbox is designed to constrain damage, code execution in the renderer can still enable meaningful malicious behavior (data access within the browser context, session abuse, and staging for further attacks). Google has explicitly acknowledged active exploitation, which usually indicates real-world targeting rather than purely theoretical risk.

Potential impacts include:

  • Execution of attacker-controlled code inside the Chrome sandbox (renderer-level compromise)

  • Browser data exposure within the compromised context (e.g., accessible page data, tokens available to that session, or actions as the user on visited sites)

  • Follow-on risk if chained with a separate sandbox escape or privilege escalation vulnerability (more likely in targeted attacks than opportunistic ones)

Proof of Concept for CVE-2026-2441

Public exploit details are intentionally limited in Google’s primary notes, but third-party researchers have published PoC material—use caution and prioritize defense. Google’s release post notes that bug details may remain restricted during rollout, and the Chromium issue tracker entry may require permissions. A public GitHub repository claims to demonstrate triggering behavior related to CSS font-feature handling; however, treat such claims as untrusted until you validate them in a safe lab environment and confirm they match the fixed/affected code paths.

Below are non-weaponized, defensive checks you can use to confirm whether a system is running a potentially vulnerable Chrome build.

 

Windows (PowerShell) – check installed Chrome version

$chromePaths = @(
"$env:ProgramFiles\Google\Chrome\Application\chrome.exe",
"$env:ProgramFiles(x86)\Google\Chrome\Application\chrome.exe"
)

 

$chromeExe = $chromePaths | Where-Object { Test-Path $_ } | Select-Object -First 1
if (-not $chromeExe) { Write-Host “Chrome not found at default paths.”; exit 1 }

$ver = (Get-Item $chromeExe).VersionInfo.ProductVersion
Write-Host "Chrome version:" $ver
Write-Host "Patched on Windows/macOS: 145.0.7632.75/76 (or newer)"

macOS – check application version

 
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
echo "Patched on Windows/macOS: 145.0.7632.75/76 (or newer)"

Linux – check browser version

 
google-chrome --version 2>/dev/null || chromium --version
echo "Patched on Linux Stable: 144.0.7559.75 (or newer)"
 
 

If you need a public reference for researcher PoC discussions (again: do not run untrusted PoCs on production systems), start by reviewing the GitHub advisory and the Chrome release note references, then validate only in isolated test environments.

 

Subscribe to WNE Security’s newsletter for the latest cybersecurity best practices, 0-days, and breaking news. Or learn more about “CVE-2026-2441: Chrome/Chromium CSS Use-After-Free Vulnerability (UAF)”  by clicking the links below

Scroll to Top