CVE-2026-2441 is a high-severity use-after-free vulnerability in Google Chrome’s CSS processing component. It affects versions prior to 145.0.7632.75 and allows remote attackers to potentially execute arbitrary code within the browser’s sandbox via a crafted HTML page.
Severity Details
The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with an attack vector of Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and required user interaction (UI:R).Scope is unchanged (S:U), with high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H).
Exploitation Status
Google confirmed an exploit for CVE-2026-2441 exists in the wild, marking it as the first actively exploited Chrome zero-day patched in 2026. No specific threat actors or widespread campaigns are detailed in initial reports, but its characteristics (low complexity, sandbox escape potential) make it attractive for attacks.
Affected Platforms
Impacts Google Chrome on Windows, macOS, and Linux. Chromium-based browsers may inherit the issue; check vendor advisories for derivatives like Microsoft Edge or Brave.
Patch and Mitigation
Update to Chrome 145.0.7632.75 or later via the Stable Channel release. Enable automatic updates, avoid clicking untrusted links, and monitor CISA KEV for KEV addition. Vendors like Red Hat and Debian are tracking it.
