Google issues emergency Chrome patch for CVE-2026-2441

🔒 Google has pushed an emergency Chrome update to fix a high-severity zero-day vulnerability (CVE-2026-2441) that it says attackers are already exploiting in the wild ¹²⁶⁷⁴. Reports describe it as a use-after-free bug in Chrome’s CSS-related code ¹²⁶⁴.

The fix is rolling out to Chrome’s Stable channel on Windows, macOS, and Linux. Users should update and then restart Chrome to make sure the patch takes effect ¹²⁷⁴.

Google Chrome app shown among mobile browser apps. — techradar.com

Sources

Google patches first Chrome zero-day of the year - so update now or face attack [techradar.com] (2026-02-16)
Chrome rushes emergency patch for actively exploited zero-day bug [techspot.com] (2026-02-16)
Google fixes exploited Chrome CSS zero-day - theregister.com [google.com] (2026-02-16)
Update Now: Google Fixes the First Active Chrome Zero-Day of 2026 [androidheadlines.com] (2026-02-16)
Government Issues High-Severity Alert For Google Chrome Users [ndtv.com] (2026-02-17)
New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released [thehackernews.com] (2026-02-16)
Google patches Chrome zero-day as in-the-wild exploits surface [theregister.com] (2026-02-16)

Highlights

Severity scores: Sources rate the flaw as high severity, with CVSS scores listed as 8.8 ⁶ and 8.3/10 ¹.
First actively exploited zero-day of 2026: Coverage calls CVE-2026-2441 Chrome’s first actively exploited zero-day patched in 2026, linked to unnamed threat actors ⁴¹.
In-sandbox risk: The Register says the CSS flaw could let malicious webpages run code inside Chrome’s sandbox, a reminder that sandboxing isn’t a substitute for patching ⁷.

Google Chrome branding image used with coverage of the patch. — androidheadlines.com

Perspectives

Google: Google shipped an out-of-band Chrome update and is holding back detailed bug information until most users have updated, to limit further exploitation while the patch rolls out.

Indian government advisory: A high-severity government alert urged Chrome users to act quickly to protect their devices from serious cybersecurity threats.

Security press: TechRadar emphasized that unnamed threat actors were already abusing the flaw and called it Chrome’s first zero-day patch of 2026, underscoring the need to update promptly.

Technical Details

Use-after-free in CSS: The vulnerability is a use-after-free bug in Chrome’s CSS-related code. It can corrupt memory, which can lead to more serious outcomes than a crash ⁶²¹.
Iterator invalidation: Android Headlines links the issue to an iterator-invalidation bug in the CSSFontFeatureValuesMap path during font processing, which can corrupt memory ⁴.
CSS font handling path: TechSpot points to Chrome’s CSS font-handling code as the affected area, with impacts that can range from crashes and rendering glitches to worse outcomes ².

Timeline

February 11, 2026

Researcher Shaheen Fazim reported CVE-2026-2441 to Google ⁶.

Friday

Google shipped Chrome updates that address the exploited zero-day ⁶.

Monday, February 16

Outlets reported in-the-wild exploitation as the emergency fix rolled out ⁷.

Action Items

Update Chrome immediately: In Chrome, open the menu → Help → About Google Chrome to check for updates, then relaunch/restart the browser to apply the patch ¹⁴.
Restart to finish patching: If Chrome already downloaded the update in the background, a restart usually completes installation on Stable builds ⁴.
Update on all devices: Install the update on any Windows, macOS, and Linux systems you use, since the fix is rolling out across those platforms ⁴.