Google Patches First Chrome Zero-Day Exploited in Attacks This Year

Chrome’s CVE‑2026‑2441 is a use‑after‑free flaw in the CSSFontFeatureValuesMap implementation, triggered by an iterator invalidation bug. When exploited, it can cause crashes, rendering anomalies, or data corruption, giving attackers a foothold in the browser’s memory space. The vulnerability’s presence in the stable channel made it an attractive target for threat actors, and Google’s security advisory confirmed active exploitation in the wild. This marks the first zero‑day Chrome attack observed in 2026, underscoring the persistent risk of browser‑level code execution bugs.

Google responded with emergency updates that were cherry‑picked into the stable desktop builds for Windows, macOS, and Linux, rolling out versions 145.0.7632.75/76 and 144.0.7559.75. By backporting the fix, the company avoided waiting for the next major release, reducing the window of exposure for millions of users. The patch addresses the immediate exploit path, while a follow‑up ticket (bug 483936078) tracks additional work needed to fully remediate the underlying code defect. Enterprises are urged to verify that automatic updates are enabled to ensure rapid deployment.

The CVE‑2026‑2441 incident highlights the broader challenge of securing the web’s most ubiquitous platform. Chrome’s market share makes it a high‑value target, and the Threat Analysis Group’s track record of uncovering eight zero‑days in 2025 demonstrates the scale of adversarial activity. Organizations that rely on Chrome for internal applications must incorporate timely patch management into their security operations, and consider layered defenses such as application‑allowlisting and sandboxing to mitigate residual risk. Continued vigilance and rapid response remain essential as browsers evolve and attackers refine exploitation techniques.