Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsGoogle Patches First Chrome Zero-Day Exploited in Attacks This Year
Google Patches First Chrome Zero-Day Exploited in Attacks This Year
CybersecurityDefenseCIO Pulse

Google Patches First Chrome Zero-Day Exploited in Attacks This Year

•February 16, 2026
0
BleepingComputer
BleepingComputer•Feb 16, 2026

Companies Mentioned

Google

Google

GOOG

Why It Matters

Active exploitation of a Chrome zero‑day threatens millions of users and highlights the urgency of rapid patch deployment for enterprise security.

Key Takeaways

  • •Google patched CVE‑2026‑2441, a use‑after‑free bug.
  • •Vulnerability exploited in the wild, affecting Chrome stable releases.
  • •Fix backported to Windows, macOS, and Linux versions.
  • •Google notes remaining work in bug 483936078.
  • •TAG previously reported eight zero‑days in 2025.

Pulse Analysis

Chrome’s CVE‑2026‑2441 is a use‑after‑free flaw in the CSSFontFeatureValuesMap implementation, triggered by an iterator invalidation bug. When exploited, it can cause crashes, rendering anomalies, or data corruption, giving attackers a foothold in the browser’s memory space. The vulnerability’s presence in the stable channel made it an attractive target for threat actors, and Google’s security advisory confirmed active exploitation in the wild. This marks the first zero‑day Chrome attack observed in 2026, underscoring the persistent risk of browser‑level code execution bugs.

Google responded with emergency updates that were cherry‑picked into the stable desktop builds for Windows, macOS, and Linux, rolling out versions 145.0.7632.75/76 and 144.0.7559.75. By backporting the fix, the company avoided waiting for the next major release, reducing the window of exposure for millions of users. The patch addresses the immediate exploit path, while a follow‑up ticket (bug 483936078) tracks additional work needed to fully remediate the underlying code defect. Enterprises are urged to verify that automatic updates are enabled to ensure rapid deployment.

The CVE‑2026‑2441 incident highlights the broader challenge of securing the web’s most ubiquitous platform. Chrome’s market share makes it a high‑value target, and the Threat Analysis Group’s track record of uncovering eight zero‑days in 2025 demonstrates the scale of adversarial activity. Organizations that rely on Chrome for internal applications must incorporate timely patch management into their security operations, and consider layered defenses such as application‑allowlisting and sandboxing to mitigate residual risk. Continued vigilance and rapid response remain essential as browsers evolve and attackers refine exploitation techniques.

Google patches first Chrome zero-day exploited in attacks this year

Google releases emergency updates to fix high‑severity Chrome vulnerability exploited in the wild

Google has released emergency updates to fix a high‑severity Chrome vulnerability exploited in zero‑day attacks, marking the first such security flaw patched since the start of the year.

“Google is aware that an exploit for CVE‑2026‑2441 exists in the wild,” Google said in a security advisory issued on Friday.

According to the Chromium commit history, this use‑after‑free vulnerability (reported by security researcher Shaheen Fazim) is due to an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome's implementation of CSS font feature values. Successful exploitation can allow attackers to trigger browser crashes, rendering issues, data corruption, or other undefined behavior.

The commit message also notes that the CVE‑2026‑2441 patch addresses “the immediate problem” but indicates there’s “remaining work” tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed.

The patch was tagged as “cherry‑picked” (or backported) across multiple commits, indicating that it was important enough to include in a stable release rather than waiting for the next major version (likely because the vulnerability is being exploited in the wild).

Although Google found evidence of attackers exploiting this zero‑day flaw in the wild, it did not share additional details regarding these incidents.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third‑party library that other projects similarly depend on, but haven’t yet fixed,” it noted.

Google has now fixed this vulnerability for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (145.0.7632.75/76), and Linux users (144.0.7559.75) worldwide over the coming days or weeks.

If you don’t want to update manually, you can also let Chrome check for updates automatically and install them after the next launch.

While this is the first actively exploited Chrome security vulnerability patched since the start of 2026, last year Google addressed a total of eight zero‑days abused in the wild, many of them reported by the company’s Threat Analysis Group (TAG), widely known for tracking and identifying zero‑days exploited in spyware attacks targeting high‑risk individuals.

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...