Google patches first Chrome zero-day exploited in attacks this year

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/google-patches-first-chrome-zero-day-exploited-in-attacks-this-year/

ONE SENTENCE SUMMARY:

Google issued urgent Chrome stable updates for actively exploited CVE-2026-2441, a CSS font feature use-after-free, backported and partially fixed.

MAIN POINTS:

1. Emergency Chrome patches address a high-severity vulnerability exploited as a zero-day.
2. Google confirmed in-the-wild exploitation of CVE-2026-2441 via a Friday advisory.
3. Root cause involves use-after-free from iterator invalidation in CSSFontFeatureValuesMap.
4. Researcher Shaheen Fazim reported the flaw per Chromium commit history.
5. Exploitation may cause crashes, rendering issues, data corruption, or undefined behavior.
6. Commit notes fix is immediate, with remaining work tracked under bug 483936078.
7. Cherry-picked/backported commits indicate urgency for stable release inclusion.
8. Incident details were withheld to protect users until updates broadly deploy.
9. Stable Desktop rollout targets Windows, macOS 145.0.7632.75/76, and Linux 144.0.7559.75.
10. Previous year saw eight Chrome zero-days exploited, many reported by Google’s Threat Analysis Group.

TAKEAWAYS:

1. Update Chrome promptly to mitigate active exploitation of CVE-2026-2441.
2. Use-after-free bugs in browser rendering components can lead to broad, unpredictable impacts.
3. Backported patches often signal real-world attacker use and elevated risk.
4. Limited public disclosure is common until most users have received fixes.
5. Ongoing tracking bugs suggest follow-on patches or hardening may still be required.