Google Patches First Chrome Zero-Day of 2026: What You Need to Know

Q: What Is CVE-2026-2441?

The vulnerability is a use-after-free bug found in Chrome's CSSFontFeatureValuesMap — a component responsible for CSS font rendering. Use-after-free vulnerabilities occur when a program continues to use memory after it has been freed, allowing attackers to manipulate that memory and execute arbitrary code. In simpler terms: a hacker could craft a malicious webpage that, when visited by a Chrome user, could silently take control of the browser — and potentially the entire system. No downloads, no pop-ups, no warnings. Just visiting the wrong page is enough.

By Jaspal February 17, 2026 Updated: February 17, 2026

Google has released an emergency security patch for its Chrome browser after discovering that hackers were already exploiting a critical zero-day vulnerability in the wild. The flaw, tracked as CVE-2026-2441, has been rated 8.8 out of 10 on the CVSS severity scale — making it a high-severity threat that demands immediate attention.

What Is CVE-2026-2441?

The vulnerability is a use-after-free bug found in Chrome's CSSFontFeatureValuesMap — a component responsible for CSS font rendering. Use-after-free vulnerabilities occur when a program continues to use memory after it has been freed, allowing attackers to manipulate that memory and execute arbitrary code.

In simpler terms: a hacker could craft a malicious webpage that, when visited by a Chrome user, could silently take control of the browser — and potentially the entire system. No downloads, no pop-ups, no warnings. Just visiting the wrong page is enough.

Who Discovered It?

The vulnerability was reported by independent security researcher Shaheen Fazim. Google acknowledged the find and fast-tracked a fix, noting in its advisory that it was aware of reports that an exploit for CVE-2026-2441 "exists in the wild" — meaning attackers were already using it before the patch was available.

Which Versions Are Affected?

Google has rolled out patches to the following Chrome versions:

Windows and macOS: Chrome 145.0.7632.75 / 145.0.7632.76
Linux: Chrome 144.0.7559.75

If you're running an older version, you are vulnerable. Update immediately.

It's Not Just Chrome

Here's the part many people overlook: Chrome's rendering engine, Chromium, powers several other popular browsers. That means this vulnerability also affects:

Microsoft Edge
Brave
Opera
Vivaldi

If you use any Chromium-based browser, you need to check for updates — not just Chrome users.

Google's Internal Notes Raise Questions

Interestingly, Google reportedly "cherry-picked" this fix, and internal commit notes suggest the patch may address only part of the underlying issue. This has raised concerns among security researchers that a more comprehensive fix may still be needed. For now, the emergency patch stops the known exploit, but the root cause may not be fully resolved.

CERT-In Flags It as Critical

India's Computer Emergency Response Team (CERT-In) has also flagged CVE-2026-2441 as a critical vulnerability, urging all users and organizations to update their browsers immediately. Government agencies and enterprises are particularly at risk due to the scale of Chromium browser usage in corporate environments.

A Growing Pattern

This is the first Chrome zero-day of 2026, but it follows a troubling trend. In 2025, Google patched at least eight zero-day vulnerabilities in Chrome, several of which were linked to surveillance operations and nation-state actors. The fact that 2026 is already starting with an actively exploited zero-day suggests the threat landscape is only intensifying.

The Bottom Line

Update your browser right now. Go to Chrome menu → Help → About Google Chrome and let it update. Do the same for Edge, Brave, Opera, or any other Chromium-based browser you use. This isn't a theoretical risk — attackers are already exploiting this flaw. Every hour you delay is an hour your system is exposed.