Critical Chrome Zero-Day Vulnerability Exploited: Immediate Update Required
A critical zero-day vulnerability, identified as CVE-2026-2441, has been discovered in Google Chrome’s Blink CSS engine. This flaw is actively being exploited in the wild, posing significant risks to users worldwide.
Discovery and Immediate Response
On February 11, 2026, security researcher Shaheen Fazim reported the vulnerability to Google. Recognizing the severity of the issue, Google acted swiftly, releasing an emergency patch just two days later. This rapid response underscores the critical nature of the flaw and the importance of timely updates.
Technical Details of the Vulnerability
CVE-2026-2441 is a use-after-free (UAF) vulnerability located within the `CSSFontFeatureValuesMap` component of Chrome’s Blink rendering engine. The root cause is an iterator invalidation flaw. Specifically, the `FontFeatureValuesMapIterationSource` stores a raw pointer (`const FontFeatureAliases aliases_`) to an internal `FontFeatureAliases` HashMap. When this map undergoes mutations during iteration—such as through `set()` or `delete()` operations—it triggers a rehashing process. This process allocates new storage and frees the old block, rendering the raw pointer dangling. Subsequent calls to `FetchNextItem()` then access freed memory, leading to the use-after-free condition.
Google’s Mitigation Measures
To address this vulnerability, Google replaced the raw pointer with a deep copy of the HashMap. This approach ensures that the iterator operates on its own isolated snapshot, immune to rehashing issues. The fix has been incorporated into the following Chrome versions:
– Windows/macOS (Stable): Version 145.0.7632.75 and later
– Linux (Stable): Version 144.0.7559.75 and later
– Windows/macOS (Extended Stable): Version 144.0.7559.177 and later
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should consult their respective vendors for specific patch information.
Proof-of-Concept (PoC) Exploit Details
A public proof-of-concept exploit has been released, demonstrating the vulnerability’s potential impact. The PoC triggers the use-after-free condition through three distinct methods:
1. Entries() Iterator with Mutation Loop: Utilizes an `entries()` iterator combined with a mutation loop to exploit the flaw.
2. For…of Loop with Concurrent Deletion and Heap Spraying: Employs a `for…of` loop alongside concurrent deletion and heap spraying techniques.
3. RequestAnimationFrame-Based Technique: Forces a layout recalculation mid-iteration using `requestAnimationFrame`.
Each method incorporates heap grooming by pre-allocating multiple same-sized `@font-feature-values` CSS rules. This strategy increases the predictability of the heap layout, facilitating exploitation.
On unpatched Chrome versions, executing the PoC results in the renderer process crashing with `STATUS_ACCESS_VIOLATION` on Windows or `SIGSEGV` on Linux and macOS. This behavior confirms that the dangling pointer accesses freed memory, validating the vulnerability.
Potential Impact and Exploitation Scenarios
The immediate impact of this vulnerability is confined to the Chrome renderer sandbox. However, it enables several malicious activities:
– Arbitrary Code Execution: Attackers can execute code within the sandboxed process.
– Information Disclosure: Leaked V8 heap pointers can be used to bypass Address Space Layout Randomization (ASLR).
– Credential Theft: Access to `document.cookie` and `localStorage` allows for the theft of user credentials.
– Session Hijacking: Attackers can exfiltrate session tokens, leading to unauthorized access.
When combined with a separate sandbox escape vulnerability, this use-after-free flaw can serve as the initial step in a full system compromise. This pattern has been observed in previous campaigns involving sophisticated spyware like NSO Pegasus and Intellexa Predator.
The vulnerability is exploitable via drive-by download attacks, requiring no user interaction beyond visiting a malicious webpage. This characteristic makes it particularly suitable for malvertising, watering hole attacks, and spear-phishing campaigns.
Official Warnings and Recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-2441 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion highlights the critical nature of the vulnerability and the necessity for immediate action.
Recommended Actions:
1. Update Chrome: Users should immediately update Chrome to version 145.0.7632.75 or later on Windows and macOS, and 144.0.7559.75 or later on Linux.
2. Check Chromium-Based Browsers: Users of browsers like Edge, Brave, Opera, and Vivaldi should apply vendor-specific patches as they become available.
3. Enable Site Isolation: Administrators should verify that Site Isolation is enabled by navigating to `chrome://flags/#site-isolation-trial-opt-out`.
4. Audit Endpoints: Conduct audits to ensure all endpoints are running updated versions of Chrome.
By taking these steps, users and organizations can protect themselves against potential exploitation of this critical vulnerability.
