A critical zero-day vulnerability, identified as CVE-2026-2441, has been discovered in Google Chrome’s Blink CSS engine. This use-after-free flaw is actively being exploited in the wild, posing significant risks to users.
The vulnerability resides in the `CSSFontFeatureValuesMap` component of Chrome’s Blink rendering engine. It originates from an iterator invalidation issue where the `FontFeatureValuesMapIterationSource` maintains a raw pointer to an internal `FontFeatureAliases` HashMap. When this map undergoes mutations during iteration, such as through `set()` or `delete()` operations, it can rehash, leading to the allocation of new storage and the deallocation of the old one. Consequently, the raw pointer becomes dangling, and subsequent calls to `FetchNextItem()` may access freed memory, triggering the use-after-free condition.
To address this issue, Google has replaced the raw pointer with a deep copy of the HashMap. This ensures that the iterator operates on its own isolated snapshot, thereby preventing rehashing-related vulnerabilities.
The following table outlines the affected and fixed versions across different platforms:
| Platform | Vulnerable Versions | Fixed Versions |
|---|---|---|
| Windows / macOS (Stable) | < 145.0.7632.75 | ≥ 145.0.7632.75 |
| Linux (Stable) | < 144.0.7559.75 | ≥ 144.0.7559.75 |
| Windows / macOS (Extended Stable) | < 144.0.7559.177 | ≥ 144.0.7559.177 |
| Chromium-based browsers (Edge, Brave, Opera, Vivaldi) | Check vendor advisory | Varies |
A proof-of-concept (PoC) exploit has been released, demonstrating the vulnerability through three distinct methods: an `entries()` iterator combined with a mutation loop, a `for…of` loop with concurrent deletion and heap spraying, and a `requestAnimationFrame`-based technique that forces a layout recalculation mid-iteration. Each method incorporates heap grooming by pre-allocating multiple same-sized `@font-feature-values` CSS rules to increase the predictability of heap layout for exploitation.
On unpatched Chrome versions, exploiting this vulnerability results in the renderer process crashing with `STATUS_ACCESS_VIOLATION` on Windows or `SIGSEGV` on Linux and macOS, confirming that the dangling pointer accesses freed memory.
The immediate impact is confined to the Chrome renderer sandbox, enabling arbitrary code execution within the sandboxed process. This can lead to information disclosure through leaked V8 heap pointers, credential theft via `document.cookie` and `localStorage` access, and session hijacking through token exfiltration. When combined with a separate sandbox escape vulnerability, this use-after-free flaw becomes the first link in a full system compromise chain, a pattern previously observed with other sophisticated cyberattacks.
The vulnerability is exploitable via drive-by download, requiring no user interaction beyond visiting a malicious page. This makes it suitable for various attack vectors, including malvertising, watering hole attacks, and spear-phishing campaigns.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-2441 to its Known Exploited Vulnerabilities (KEV) catalog. Users are strongly advised to update Chrome to version 145.0.7632.75 or later on Windows and macOS, and 144.0.7559.75 or later on Linux. Users of Chromium-based browsers should apply vendor patches from Edge, Brave, Opera, and Vivaldi as they become available. Administrators should also verify that Site Isolation is enabled via `chrome://flags/#site-isolation-trial-opt-out` and audit all endpoints for outdated Chrome deployments.
This incident underscores the critical importance of timely software updates and vigilant security practices. As cyber threats continue to evolve, staying informed and proactive is essential to safeguard systems against emerging vulnerabilities.