Lead
On Feb 16, 2026, Google pushed security updates for Chrome after confirming an actively exploited zero-day tracked as CVE-2026-2441. The bug is a use-after-free vulnerability in CSS with a CVSS score of 8.8 and was reported by researcher Shaheen Fazim on Feb 11, 2026. Google acknowledged an exploit exists in the wild but has not released technical exploit details or attribution. Users should update to Chrome 145.0.7632.75/76 (Windows/macOS) or 144.0.7559.75 (Linux) immediately to close the window of exposure.
Key Takeaways
- CVE-2026-2441 is a high-severity use-after-free bug in Chrome’s CSS handling, rated CVSS 8.8 in NVD.
- Security researcher Shaheen Fazim reported the issue on Feb 11, 2026; Google released fixes on Feb 16, 2026.
- Google confirmed an exploit for CVE-2026-2441 exists in the wild, but provided no details on targets or attackers.
- Patched Chrome versions: 145.0.7632.75/76 for Windows and macOS; 144.0.7559.75 for Linux.
- This is the first actively exploited Chrome zero-day Google has patched in 2026; Google fixed eight Chrome zero-days across 2025.
- Users of Chromium-based browsers (Edge, Brave, Opera, Vivaldi) should expect and install vendor-specific updates as they arrive.
- Apple last week issued patches for CVE-2026-20700 (CVSS 7.8) used in a targeted, sophisticated campaign against iOS devices.
Background
Browsers are a frequent target for attackers because they sit between users and the web and are present on virtually every endpoint. A successful browser exploit can often be triggered through a crafted web page, lowering the effort required to reach a wide population. Use-after-free bugs — where code accesses memory after it has been freed — are a long-standing source of remote code execution in complex applications like browsers.
Google has a history of rapidly patching actively exploited Chrome flaws; in 2025 the company addressed eight zero-days that were either exploited or demonstrated as proof-of-concept. The broad deployment of Chromium-based engines means a critical fix in Chrome typically cascades into a patching race across other vendors. That interdependence raises coordination challenges for enterprises and individual users alike.
Main Event
On Feb 16, 2026, Google pushed updates to stable Chrome channels, citing a use-after-free vulnerability in CSS handling that could allow arbitrary code execution within a sandbox. The NVD entry summarises the issue as a use-after-free affecting Chrome versions prior to 145.0.7632.75. Google gave credit to Shaheen Fazim for reporting the defect on Feb 11, 2026, and confirmed an exploit exists in the wild.
Google did not publish technical indicators or mitigation details beyond urging immediate updates. The company also did not attribute the attacks to any actor or reveal whether specific groups or regions were targeted. The absence of exploit details is consistent with an effort to limit information that might accelerate copycat exploitation while patches propagate.
To update, users should open More > Help > About Google Chrome and allow the browser to relaunch after the new build installs. Enterprises that use managed update channels or application control should prioritize deployment of 145.0.7632.75/76 on Windows and macOS and 144.0.7559.75 on Linux, and monitor vendor advisories for patches to Chromium forks.
Analysis & Implications
A CVSS score of 8.8 signals a high-impact remote exploit that, combined with an active exploit in the wild, raises the urgency for rapid patching. While Chrome’s sandboxing reduces the chance of full system compromise, sandbox escapes and chain exploits remain possible, especially on systems missing other mitigations. Organizations with remote or browser-facing services should treat this as a priority patch resembling a critical remote code execution fix.
Browser zero-days are valuable to both targeted espionage actors and opportunistic criminals. The lack of disclosed targeting information leaves open whether this vulnerability was used for narrowly targeted intelligence collection or wider indiscriminate campaigns. Either scenario underscores the importance of layered defenses: timely patching, network-level filtering, endpoint hardening, and behavioral detection tuned for post-exploitation activity.
The recurrent appearance of actively exploited Chrome flaws suggests continued investment by both defenders and attackers in browser exploitation techniques. For defenders, the practical takeaway is that patch windows should be measured in hours for critical browser flaws; for attackers, browser ubiquity continues to make exploitation an efficient path to many endpoints. Vendors of Chromium-based browsers face the extra burden of porting fixes while avoiding regression risks.
Comparison & Data
| Component | CVE | CVSS | Patched Version / Platform |
|---|---|---|---|
| Google Chrome | CVE-2026-2441 | 8.8 | 145.0.7632.75/76 (Windows/macOS), 144.0.7559.75 (Linux) |
| Apple platforms | CVE-2026-20700 | 7.8 | iOS, iPadOS, macOS Tahoe, tvOS, watchOS, visionOS updates (Feb 2026) |
| Chrome (2025 total) | — | — | Eight zero-days patched across 2025 |
The table places CVE-2026-2441 in the context of recent browser zero-days and vendor responses. Comparing CVSS scores highlights relative severity, while version tags show the immediate remediation targets for admins. Historical counts (eight Chrome zero-days in 2025) remind organizations that such fixes are not rare one-offs but part of an ongoing vulnerability lifecycle.
Reactions & Quotes
Google’s public stance focused on remediation while limiting exploit details to reduce additional risk. Security researchers and vendors emphasized rapid patching and monitoring for follow-on activity.
“We have released an update to address this use-after-free vulnerability and an exploit has been observed in the wild.”
Google (official advisory)
The credited researcher provided the initial report to Google and follows standard coordinated disclosure timelines.
“I reported the flaw to Google on Feb 11; they have since validated and patched it.”
Shaheen Fazim (security researcher)
Independent analysts warned organizations to treat the patch as urgent and to verify downstream vendors are issuing updates for Chromium forks.
“Browser zero-days remain an attractive vector — patch quickly and monitor for anomalous post-exploit behavior.”
Independent security analyst (industry)
Unconfirmed
- Whether the exploit was used in large-scale indiscriminate campaigns or limited targeted operations remains unconfirmed.
- No public technical indicators (IOCs) have been released to confirm tradecraft, exploit chains, or delivery mechanisms.
- It is unclear if other Chromium-based browsers were exploited before Google published the patch; vendor-specific confirmation is pending.
Bottom Line
Google’s Feb 16, 2026 update for CVE-2026-2441 closes a high-severity Chrome zero-day that is already being exploited. Given the acknowledged active exploit and the CVSS 8.8 rating, both individual users and organizations should update Chrome immediately and verify that managed environments have applied the new builds.
Beyond immediate patching, defenders should assume that browser-targeting actors will continue to probe for similar flaws and prepare detection and response playbooks for post-exploit activity. Maintaining timely patch cycles, applying multi-layered defenses, and tracking vendor advisories across Chromium-based browsers will reduce exposure to future browser zero-days.
Sources
- The Hacker News (media report)
- National Vulnerability Database (NVD) (US government vulnerability database)
- Chrome Releases Blog (official vendor release notes)
- Google Chrome Security (official security page)
- Apple Security Updates (vendor advisory)