GOOGLE has patched Chrome zero-day CVE-2026-2441, a high-severity use-after-free flaw in the CSS component that is already being exploited in real-world attacks. The vulnerability was discovered and responsibly reported by security researcher Shaheen Fazim on 11 February 2026, and Google notes that an exploit exists in the wild but has not disclosed how it is used or which threat actors are behind it.
According to Google’s advisory, this is the first actively exploited Chrome zero-day fixed in 2026, following eight similar flaws patched in 2025. The Chrome Stable channel has been updated to versions 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux, with the rollout to users continuing over coming days. Researchers and users of Chromium-based browsers should apply the update to mitigate the risk, as Google is aware of active exploitation. The article notes that no details about the exploitation method or responsible attacker are provided beyond the existence of in-the-wild exploitation.