Google patches Chrome zero-day as in-the-wild exploits surface
High-severity CSS flaw let malicious webpages run code inside the sandbox
Google has quietly pushed out an emergency Chrome fix after attackers were caught exploiting the browser's first reported zero-day of 2026.
The flaw, tracked as CVE-2026-2441 and assigned a "high" CVSS score of 8.8, stems from a use-after-free bug in Chrome's CSS handling that could allow a remote attacker to execute arbitrary code inside the browser's sandbox using a specially crafted HTML page. In other words, a dodgy webpage could be all an attacker needs to get malicious code running inside a victim's browser.
Unsurprisingly, Google has rushed out fixes for Chrome with version 145.0.7632.75 for Windows and Mac, and 144.0.7559.75 for Linux, which the Chocolate Factory says will "roll out in the coming days/weeks."
REG AD
Security researcher Shaheen Fazim reported the flaw on February 11, and Google acknowledged that attackers were already exploiting it just two days later – though it's staying tight-lipped on the specifics. The company has not said whether the attacks were targeted or part of a broader exploitation campaign, only that the vulnerability was being abused before a fix was ready.
REG AD
"Google is aware that an exploit for CVE-2026-2441 exists in the wild," its security advisory stated.
Google said access to further details about the bug will remain under wraps until most users are patched, and potentially longer if third-party dependencies are involved, a standard move aimed at stopping others from quickly weaponizing the bug.
If this all feels a bit familiar, that's because it is. Google spent much of last year playing Whac-A-Mole with actively exploited Chrome bugs, ultimately patching eight zero-days across 2025.
The fix also lands days after researchers revealed that at least 287 Chrome extensions, with tens of millions of installs between them, were quietly siphoning off users' browsing histories to a long list of outside recipients – a handy reminder that data can leak not just through software flaws but through the sprawling ecosystem bolted onto the browser. ®