Google has released emergency updates to fix a high-severity Chrome vulnerability exploited in zero-day attacks, marking the first such security flaw patched since the start of the year.
“Google is aware that an exploit for CVE-2026-2441 exists in the wild,” Google said in a security advisory issued on Friday.
According to the Chromium commit history, this use-after-free vulnerability (reported by security researcher Shaheen Fazim) is due to an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome’s implementation of CSS font feature values. Successful exploitation can allow attackers to trigger browser crashes, rendering issues, data corruption, or other undefined behavior.
The commit message also notes that the CVE-2026-2441 patch addresses “the immediate problem” but indicates there’s “remaining work” tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed.
The patch was tagged as “cherry-picked” (or backported) across multiple commits, indicating that it was important enough to include in a stable release rather than waiting for the next major version (likely because the vulnerability is being exploited in the wild).
Although Google found evidence of attackers exploiting this zero-day flaw in the wild, it did not share additional details regarding these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” it noted.
Google has now fixed this vulnerability for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (145.0.7632.75/76), and Linux users (144.0.7559.75) worldwide over the coming days or weeks.
If you don’t want to update manually, you can also let Chrome check for updates automatically and install them after the next launch.
While this is the first actively exploited Chrome security vulnerability patched since the start of 2026, last year Google addressed a total of eight zero-days abused in the wild, many of them reported by the company’s Threat Analysis Group (TAG), widely known for tracking and identifying zero-days exploited in spyware attacks targeting high-risk individuals.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
