GOOGLE released an emergency Chrome update to patch the first actively exploited zero-day of 2026, CVE-2026-2441, described as a high-severity use-after-free in the browser’s CSS component. The fixes apply to Chrome 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux, with Google noting that an exploit exists in the wild according to Google. The vulnerability was disclosed to the vendor on 11 February, and the researcher Shaheen Fazim is credited for reporting it.
The bug bounty for CVE-2026-2441 has not yet been determined; Fazim’s prior reports earned him $7,000 and $8,000. While publicly available details are limited, Google indicated the flaw could likely be exploited for arbitrary code execution by luring a targeted user to a malicious website, though code would run within a sandbox and an additional vulnerability would be needed to escape the sandbox for full system takeover, potentially enabling data theft, session hijacking and further attacks.