ON 15 February 2026, a critical Chrome zero-day, CVE-2026-2441, dubbed a “Use after free in CSS,” was disclosed as being exploited in the wild, affecting the browser’s CSS engine and potentially allowing remote code execution simply by visiting a compromised webpage. The flaw involves a dangling pointer that can be written with attacker data, with the attacker’s code executing when the browser accesses that memory; the vulnerability was reported on 11 February 2026 by security researcher Shaheen Fazim.
Google’s advisory confirms that an exploit exists in the wild, and the fix is rolling out now to the Stable channel, with updates recommended for all users to close the security gap. Microsoft? No, the article specifies Windows & Mac updates to version 145.0.7632.75/.76 and Linux to 144.0.7559.75, and instructs users to verify their browser version via Settings > About Chrome before relaunching. According to Google, administrators should prioritise patching all endpoints given the active exploitation status.