Google Chrome just released an emergency update (versions 145.0.7632.75 and 145.0.7632.76) that patches a high‑severity, actively‑exploited zero‑day flaw known as CVE‑2026‑2441. The bug lets malicious web pages execute arbitrary code without user interaction, putting every Chrome user—and any Chromium‑based browser—at risk. Updating now is the fastest way to block the attack.
What is CVE‑2026‑2441?
CVE‑2026‑2441 is a classic use‑after‑free vulnerability inside Chrome’s CSS engine, specifically the CSSFontFeatureValuesMap implementation. In plain terms, a crafted style sheet can free memory that Chrome still references, then reuse that memory to run attacker‑controlled code. This bypasses typical security prompts and can lead to ransomware deployment, cookie theft, or full system compromise.
Technical Details of the Use‑After‑Free
- Memory is freed during CSS parsing while a reference still exists.
- Attackers inject malicious CSS that triggers the free‑then‑reuse sequence.
- The exploit works without any click or download from the victim.
How Google Fixed the Vulnerability
The emergency patch sanitises the handling of CSSFontFeatureValuesMap objects. Once memory is released, the code ensures no dangling pointers remain, and additional checks block malformed style sheets from reaching the vulnerable path. The fix is invisible to everyday browsing, but it completely blocks the arbitrary code execution vector.
Impact on Users and Enterprises
If you’re still on Chrome 145.0.7632.71 or older, you’re effectively leaving a back door open. Most consumer machines receive the update automatically, but many organisations freeze browser versions for compatibility. Those enterprises must push the new build through their IT distribution channels right away.
Chromium‑based browsers such as Microsoft Edge, Brave, and Opera inherit the same underlying code. Their developers are merging Google’s changes into their own release pipelines, but a short lag of a few days can leave users exposed.
Steps to Secure Your Chrome Now
- Check your version. Open Chrome, go to
chrome://settings/help, and confirm you’re on 145.0.7632.75 or later. - Force an update. If automatic updates are disabled, click “Check for updates” on the same page.
- Restart the browser. The patch activates on a fresh launch, so close all windows and reopen Chrome.
- Audit your extensions. Disable any extensions you don’t recognize, as they can sometimes serve as delivery vectors for CSS‑based exploits.
Future Outlook for Chrome Security
Google’s rapid response shows the company can move at breakneck speed when a critical flaw surfaces. Yet the episode highlights the inherent fragility of the web’s underlying stack—use‑after‑free bugs stem from low‑level memory management, a domain where even seasoned engineers can slip.
As browsers grow more powerful, they also present richer attack surfaces. The best defence remains the same: keep your software current, stay informed, and apply a healthy dose of scepticism to any site that looks off. So, have you updated Chrome yet? The clock is ticking.
