MOUNTAIN VIEW, CA – Google has issued an emergency security update for its Chrome browser after confirming that attackers are actively exploiting a high-severity “zero-day” vulnerability. This marks the first time this year that Google has had to patch a flaw that was already being weaponized in the wild before a fix was available.
The vulnerability, tracked as CVE-2026-2441, was reported by independent security researcher Shaheen Fazim on February 11. Google responded rapidly, pushing out a stable channel update within five days to protect its global user base.
The Nature of the Threat
The flaw is described as a “use-after-free” bug within Chrome’s CSS (Cascading Style Sheets) engine, specifically involving how the browser handles font feature values.
How it works: In a use-after-free scenario, a program continues to use a memory location after it has been “freed” or cleared. Attackers can exploit this by placing their own malicious data into that specific memory slot.
The Risk: A remote attacker can lure a user to a specially crafted, malicious website. Once the page is loaded, the bug allows the attacker to bypass security measures and execute arbitrary code within the browser’s sandbox.
Targeting: While Google has officially acknowledged that “an exploit for CVE-2026-2441 exists in the wild,” the company has withheld specific details regarding who is being targeted or the identity of the attackers to prevent further exploitation while users update.
Is Your Browser Protected?
Google is rolling out the patch across Windows, macOS, and Linux. Users are urged to check their browser version immediately. You are protected if you are running the following versions or higher:
Platform Safe Version Number
Windows 145.0.7632.75 / .76
macOS 145.0.7632.75 / .76
Linux 144.0.7559.75
Note: Because other popular browsers like Microsoft Edge, Brave, Opera, and Vivaldi use the same Chromium engine, users of those browsers should also look for incoming security updates this week.
How to Update Manually
While Chrome typically updates automatically in the background, you can force the update to ensure immediate protection:
Click the three vertical dots (Menu) in the top-right corner of Chrome.
Hover over Help and select About Google Chrome.
Chrome will automatically check for the update and begin downloading it.
Once finished, click Relaunch to apply the patch.
The discovery of this zero-day follows a busy 2025 for Google’s security team, which patched eight such flaws last year. Security experts recommend that organizations prioritize this update, as browser-based exploits remain one of the most common entry points for malware and targeted cyberattacks.
