GOOGLE on Friday released security updates for its Chrome browser to address a high-severity flaw tracked as CVE-2026-2441, described as a use-after-free in CSS, which has been exploited in the wild. The vulnerability, rated CVSS 8.8, was discovered and reported by security researcher Shaheen Fazim on 11 February 2026, and according to the National Vulnerability Database the flaw allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Google acknowledged that an exploit for CVE-2026-2441 exists in the wild and the Chrome update is the first actively exploited zero-day Chrome patch in 2026. To mitigate the risk, users should update to Chrome versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux, with the usual navigation path More > Help > About Google Chrome and Relaunch to ensure the updates are installed.
The company did not disclose details on who is exploiting the flaw or targeted victims, but the guidance remains clear: apply the patch across Chrome and other Chromium-based browsers when updates become available. According to NIST’s National Vulnerability Database, the flaw’s description emphasises the remote code execution potential, underscoring the ongoing threat browser-based zero-days pose.