Google has released an emergency update for Chrome after confirming active exploitation of a high-severity zero-day vulnerability in the wild. The flaw, tracked as CVE-2026-2441, marks the first confirmed Chrome zero-day attack of 2026 and affects users who have not yet updated to the latest stable version.
Google pushed the fix quietly through its Stable channel update, urging users to install the patch as it rolls out globally over the coming days.
Chrome Zero-Day Lets Malicious Pages Run Code
The vulnerability stems from a use-after-free bug in Chrome’s CSS handling, which allows attackers to execute arbitrary code inside the browser’s sandbox using a specially crafted HTML page. In practical terms, a single malicious webpage could trigger the exploit without any user interaction beyond loading the page.
Security researcher Shaheen Fazim reported the issue on February 11, 2026. Google confirmed active exploitation just two days later but did not disclose details about the attack campaigns or targets involved.
Fixed Chrome Versions Rolling Out Now
Google has addressed the flaw in the following Chrome versions:
- Windows & macOS: 145.0.7632.75 / 145.0.7632.76
- Linux: 144.0.7559.75
The update is rolling out automatically, but users can install it immediately by manually checking for updates and restarting the browser.
Google has restricted access to detailed bug reports and exploit information until most users receive the fix. The company often follows this approach to prevent attackers from reverse-engineering patches and launching copycat attacks before updates reach all systems.
Google also noted that the vulnerability may involve third-party components, which could require additional coordination before releasing full technical disclosures.
Why Chrome Zero-Days Continue to Target Users
This incident continues a trend from last year, when Google patched eight actively exploited Chrome zero-day vulnerabilities throughout 2025. While Chrome includes multiple security layers, attackers increasingly target memory-handling bugs that allow sandboxed code execution.
The latest patch arrives amid broader security concerns surrounding Chrome’s extension ecosystem, where researchers recently uncovered hundreds of extensions secretly harvesting user data.
What Chrome Users Should Do Immediately
Users should update Chrome immediately and restart the browser to apply the fix. Anyone running outdated versions remains exposed to active exploitation until the update completes.
Keeping automatic updates enabled remains the simplest way to stay protected against zero-day attacks like CVE-2026-2441.
