Critical Google Chrome Update Due to Vulnerability CVE-2026-2441
A serious security vulnerability known as CVE-2026-2441 has led Google to issue an urgent out-of-band update for Chrome, following confirmation that it is currently being exploited. The Hong Kong Computer Emergency Response Team (HKCERT) informed users about this flaw on February 16, 2026. This vulnerability is categorized as Extremely High Risk due to its potential for Remote Code Execution (RCE), posing significant implications for users.
Understanding CVE-2026-2441: The Use-After-Free Vulnerability
The flaw originates from a use-after-free (UAF) error in the CSS processing component of Google Chrome. Official documentation states that this vulnerability allows an attacker to run arbitrary code in a sandbox environment when a user visits a maliciously crafted web page.
To explain in simpler terms, a use-after-free vulnerability occurs when software continues to access memory after it has been released. The result is unpredictable behavior—including crashes—but it can also be leveraged by attackers to inject harmful code. This particular flaw within Chrome’s CSS engine can lead to remote code execution, significantly increasing the risk for users.
This vulnerability has a CVSS score of 8.8, categorized as “high” based on common scoring systems. Nonetheless, the immediate risk is elevated given that attackers are already exploiting it. A remote attacker can activate this vulnerability simply by convincing a user to open a specially designed HTML page.
Google Chrome Emergency Update Released
In response to this pressing issue, Google released an emergency update on February 13. The update rolled out as version 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. Google mentioned, “The Stable channel has been updated to encompass this crucial security fix,” with a full list of changes available in their release notes.
The vulnerability was initially reported by security researcher Shaheen Fazim on February 11 and has been assigned the internal reference “[TBD][483569511] High CVE-2026-2441: Use after free in CSS.” Due to the active exploitation of this flaw, Google has temporarily restricted access to further details about the bug.
Browser Versions Affected by CVE-2026-2441
The risk of Remote Code Execution affects several versions of Google Chrome. Users should pay attention to whether their browser is one of the following:
- Google Chrome versions prior to 144.0.7559.75 for Linux
- Google Chrome versions prior to 145.0.7632.75/76 for Windows
- Google Chrome versions prior to 145.0.7632.75/76 for macOS
The updated versions that include a fix for CVE-2026-2441 are:
- 144.0.7559.75 for Linux
- 145.0.7632.75/76 for macOS and Windows
- The Extended Stable version 144.0.7559.177 for both macOS and Windows
RCE vulnerabilities present serious security concerns, even in a sandbox environment, as attackers often combine multiple weaknesses for exploitation.
The Importance of Timely Patching
Google emphasizes the need for rapid updates to address such vulnerabilities. They also highlighted that many of the security flaws were caught during development using tools like AddressSanitizer, MemorySanitizer, and Control Flow Integrity. The company has expressed gratitude toward researchers who helped discover and resolve potential security issues.
Browsers built on Chromium’s codebase, such as Microsoft Edge, will likely receive similar updates. Users of those browsers should stay attentive for patches.
How to Update Google Chrome
For users looking to ensure they have the latest version of Google Chrome, the procedure is straightforward. Click on the three-dot menu located next to the address bar, navigate to “Help,” and select “About Google Chrome.” The browser will display the current version and will automatically initiate the update if necessary. On Linux systems, updates typically rely on the distribution’s software manager.
Staying vigilant and applying updates promptly can help safeguard against potential exploitation from vulnerabilities like CVE-2026-2441.
