GOOGLE has issued a patch for a high‑severity Chrome zero‑day, tracked as CVE‑2026‑2441, a memory bug in how the browser handles certain font features that attackers are already exploiting, according to Google. The vulnerability is a use‑after‑free issue in Chrome’s CSS font feature handling (CSSFontFeatureValuesMap), with Chrome’s sandbox potentially allowing a remote attacker to execute arbitrary code inside a secured tab.
The CVE‑record notes that this use‑after‑free in CSS in Google Chrome prior to 145.0.7632.75 allowed such code execution via a crafted HTML page, and Google issued a separate update on the stable channel for it. The latest version numbers are 145.0.7632.75/76 for Windows and macOS, and 145.0.7632.75 for Linux, so Chrome on 145.0.7632.75 or later is protected. To stay safe, users are advised to update Chrome as soon as possible, with automatic updates enabled and restart if needed.