High-Severity Chrome 0-Day Vulnerability Enables Remote Code Execution
Published
Key Takeaways
- Active Exploitation: Google has confirmed that a high-severity Chrome 0-day vulnerability, tracked as CVE-2026-2441, is being actively exploited in the wild.
- Vulnerability Type: The flaw is a "Use After Free" weakness in the browser's CSS component, which can be triggered by a malicious webpage to achieve remote code execution.
- Urgent Patch Released: A Google Chrome security update is now available for Windows, macOS, and Linux users, and immediate patching is strongly recommended.
Google has issued an emergency security patch to address a high-severity Chrome zero-day vulnerability that allows for remote code execution (RCE). The flaw, identified as CVE-2026-2441, is a "Use After Free" vulnerability in the browser's Cascading Style Sheets (CSS) rendering engine.
Security researcher Shaheen Fazim reported the flaw on February 11, 2026, prompting a swift response from Google's security team.
Remote Code Execution and System Compromise
The CVE-2026-2441 RCE flaw allows an attacker to compromise a target system by luring the user to a specially crafted webpage. “Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” says its description.
In a typical scenario, when the victim's browser renders the malicious site, it triggers a memory-corruption error in the CSS component. This can cause the browser to crash or, more dangerously, allow the threat actor to execute arbitrary code on the operating system, potentially escaping the browser's security sandbox.
The search giant confirmed its awareness that an exploit for the vulnerability already exists and is being used in active attack campaigns. Google has restricted access to the full technical details of the bug until a majority of users have applied the patch.
Google Chrome Fix Deployed
To mitigate the threat, Google has released an essential patch, which brings Chrome to version 145.0.7632.75/.76 for Windows and macOS and version 144.0.7559.75 for Linux.
While the update will deploy automatically over the coming days, users are strongly urged to manually initiate the update process immediately. Navigate to Chrome's Menu → Help → About Google Chrome to force the browser to check for and install the latest version.
Last month, Google patched another high-severity WebView flaw in the tag component. A flaw in the Chrome Loader component was actively exploited in 2025, with a fix released in May. Last week, TechNadu reported on novel malicious Chrome extensions that exploit AI popularity or steal Meta Business Suite data.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular