Chrome Zero-Day CVE-2026-2441 Exploited in the Wild Use-After-Free in CSS Engine

• .What: Use-after-free in Chrome's CSSFontFeatureValuesMap - iterator invalidation allows heap corruption and arbitrary code execution inside the browser sandbox via a crafted HTML page.
• .CVE: CVE-2026-2441 | CWE-416 | CVSS 3.1: 8.8 (HIGH) | Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
• .Who: All users of Chromium-based browsers - estimated 3.45 billion desktop and mobile users worldwide.
• .How: Drive-by exploitation - victim visits a malicious or compromised webpage containing crafted CSS and JavaScript. No interaction beyond page load required.
• .Actor: Unknown. Google has not disclosed attribution. Google TAG monitors zero-day exploitation by nation-state groups and commercial spyware vendors.
• .Additional Zero-Days: CVE-2026-3909 (Skia OOB write, CVSS 8.8) and CVE-2026-3910 (V8 inappropriate implementation, CVSS 8.8) - both discovered by Google on March 10, patched March 12.
• .Impact: All Chromium-based browsers required emergency patches. CISA mandated federal agency remediation by March 10. Public proof-of-concept exploit published on GitHub.

On February 11, 2026, security researcher Shaheen Fazim reported a use-after-free vulnerability in Chrome's CSS engine to Google. " This was Chrome's first actively exploited zero-day of 2026.

Google followed its standard practice of withholding technical details until a majority of users updated.

CISA added CVE-2026-2441 to the Known Exploited Vulnerabilities (KEV) catalog on February 17, alongside three other actively exploited flaws (CVE-2024-7694 in TeamT5 ThreatSonar, CVE-2020-7796 in Zimbra, and CVE-2008-0015 in Microsoft Windows).

Federal agencies were given until March 10, 2026 to patch or discontinue use of affected products per BOD 22-01.

The Chromium-based browser ecosystem responded over the following days: Microsoft Edge shipped version 145.0.3800.58, Brave released v1.87.188, Vivaldi pushed 7.8/3925.70, Opera issued 127.0.5778.64, and DuckDuckGo updated its mobile and desktop clients.

Chrome for Android was patched at version 145.0.7632.109.

Less than a month later, on March 10, Google internally discovered two more zero-days being exploited in the wild - CVE-2026-3909 (out-of-bounds write in Skia, Chrome's 2D graphics library) and CVE-2026-3910 (inappropriate implementation in V8, Chrome's JavaScript/WebAssembly engine).

Both were patched within two days in Chrome 146.0.7680.75/76 and added to the CISA KEV catalog on March 13 with a March 27 federal remediation deadline.

Three actively exploited browser zero-days in a single quarter indicates either a single sophisticated adversary burning multiple capabilities or multiple independent actors with browser exploitation ability operating simultaneously.

Google has not disclosed who exploited CVE-2026-2441, how it was used, or who was targeted. This is consistent with Google's policy of restricting exploitation details for active zero-days.

Context matters. Google's Threat Analysis Group (TAG) is the team that monitors zero-day exploitation campaigns. TAG's mandate covers state-backed cyber espionage and commercial spyware vendors - groups like NSO Group (Pegasus), Intellexa (Predator), Candiru, and QuaDream.

In 2025, TAG identified and reported multiple Chrome zero-days being exploited in targeted surveillance operations.

Browser rendering engine vulnerabilities of this class - use-after-free in CSS/layout components - have historically been exploited by commercial spyware vendors targeting journalists, activists, and government officials, and by nation-state APT groups for espionage.

The fact that CVE-2026-3909 and CVE-2026-3910 were discovered by Google internally (not by external researchers) strongly suggests TAG found them during investigation of targeted attack campaigns. Whether CVE-2026-2441 was exploited by the same actor or independently is unknown.

For comparison: CVE-2024-7971, a Chrome V8 type confusion vulnerability exploited in 2024, was attributed to North Korea's Lazarus Group targeting the cryptocurrency sector. CVE-2026-2441's attribution remains at confidence level: unknown.

CVE-2026-2441 is a browser vulnerability, not a data breach in the traditional sense. However, successful exploitation enables access to:

• .Session cookies and authentication tokens - allowing account takeover of any authenticated web session
• .Saved passwords in the browser's credential store
• .Browsing history, bookmarks, and autofill data (addresses, phone numbers, payment cards)
• .Clipboard contents at time of exploitation
• .Access to browser-accessible APIs (camera, microphone, geolocation) depending on site permissions
• .Potential lateral movement to local filesystem if chained with a sandbox escape vulnerability

The use-after-free occurs on Chrome's compositor thread, which interfaces with GPU shared memory for texture and display list operations.

Researcher analysis indicates the corrupted object can be used to gain a write primitive into shared memory buffers, and attacker-controlled data can corrupt GPU command buffer entries - a potential path to sandbox escape.

Without confirmed sandbox escape, exploitation is confined to the renderer process.

For targeted surveillance operations - the most likely exploitation scenario for a browser zero-day of this caliber - the objective is typically persistent device access: installing spyware that survives browser closure, captures communications, activates the microphone and camera, and exfiltrates contacts, messages, and location data.

1. Memory-unsafe language in critical rendering path. Chrome's CSS engine is written in C++, which does not enforce memory safety at the language level. Firefox's equivalent CSS engine (Stylo) is written in Rust, which prevents use-after-free by design.

The entire class of vulnerability is avoidable through language choice.

2. Iterator invalidation in CSSFontFeatureValuesMap. The FontFeatureValuesMapIterationSource stored a raw pointer to the internal FontFeatureAliases HashMap.

When the map was mutated during iteration via set() or delete(), the HashMap rehashed - allocating new storage and freeing the old. The raw pointer became dangling. The next FetchNextItem() call read from freed memory. The fix was changing the raw pointer to a deep copy.

3. Heap exploitation through predictable allocation. Proof-of-concept exploits demonstrate that allocating 50 identical @font-feature-values CSS rules before triggering the use-after-free creates predictable heap fragmentation, increasing reliability across Chrome versions.

The freed memory can be sprayed with attacker-controlled objects.

4. Compositor thread proximity to GPU shared memory. The use-after-free occurs on the compositor thread, which directly interfaces with GPU shared memory for texture and display list operations.

This provides a potential escalation path from heap corruption to GPU command buffer manipulation - a stepping stone toward sandbox escape.

5. Delayed patch propagation across Chromium ecosystem. Google patched on February 13, but downstream browsers (Edge, Brave, Vivaldi, Opera) required additional days to integrate and ship the fix.

Organizations running any Chromium-based browser were vulnerable during this window. Electron applications embedding Chromium faced even longer exposure if they did not update their embedded engine.

Browser zero-days affect every organization and individual using the vulnerable software. Regulatory exposure applies to organizations that fail to patch within mandated timeframes:

• .CISA BOD 22-01 - Federal Civilian Executive Branch agencies were required to remediate by March 10, 2026, or discontinue use. Non-compliance creates audit findings and potential OMB reporting obligations.

• .NIST SP 800-40 Rev 4 (Patch Management) - Organizations following NIST frameworks must demonstrate timely patching of actively exploited vulnerabilities. Failure to patch a CISA KEV-listed vulnerability within the mandated window is a documented control failure.

• .GDPR Article 32 (EU) - Organizations processing EU personal data via Chromium-based browsers that fail to patch an actively exploited vulnerability with a public PoC face potential enforcement for inadequate "security of processing." Fines up to 4% of annual global turnover or EUR 20M.

• .UK GDPR / DPA 2018 - ICO enforcement mirrors GDPR. Fines up to GBP 17.5M or 4% of global turnover.

• .HIPAA Security Rule (US) - Healthcare entities using unpatched Chromium browsers to access ePHI face potential violations of the Technical Safeguards requirement (45 CFR 164.312). Fines up to $2.1M per violation category per year.

• .PCI DSS 4.0 Requirement 6.3.3 - Organizations in scope for PCI that fail to patch critical and high-severity vulnerabilities within defined timelines face compliance violations and potential acquirer sanctions.

• .Saudi NCA Essential Cybersecurity Controls - Saudi government and critical infrastructure entities must apply patches for actively exploited vulnerabilities per NCA mandates. Non-compliance is reported to SDAIA.

• .UAE TDRA / NESA - UAE critical infrastructure operators face regulatory expectations for timely vulnerability remediation under NESA IAS standards.

• .FedRAMP (US Cloud) - Cloud service providers holding FedRAMP authorization must remediate high-severity vulnerabilities within 30 days. A CVSS 8.8 with confirmed exploitation and public PoC triggers accelerated remediation requirements.

1. Enable Automatic Browser Updates and Verify Restart - The single most important control. Ensure Chrome auto-update is enabled and not blocked by enterprise Group Policy.

Verify that browsers are restarted after update installation - a downloaded patch provides zero protection until the browser process is relaunched.

2. Deploy Browser Isolation for High-Risk Users - Render untrusted web content in disposable cloud containers so that memory corruption exploits never execute on the endpoint. This neutralizes the entire exploit chain regardless of patch status.

3. Enforce CISA KEV Patching SLAs - Treat every CISA KEV addition as a mandatory patch within the federal deadline (or faster). Automate KEV monitoring and integrate with vulnerability management workflows.

Any organization that had not patched CVE-2026-2441 by March 10, 2026 - 25 days after the patch was available - was negligent.

4. Inventory All Chromium-Based Browsers and Electron Applications - Most organizations track Chrome but miss Edge, Brave, Vivaldi, Opera, DuckDuckGo, and Electron-based applications (Slack, Teams, VSCode, Discord, Figma, Notion) that embed Chromium and require independent patching.

Maintain a complete software inventory of every Chromium instance.

5. Enable Hardware-Enforced Exploit Protections - Activate Control Flow Integrity (CFI), hardware-enforced stack protection (Intel CET), and ASLR on all endpoints. These do not prevent the use-after-free but increase the difficulty of reliable exploitation.

6. Monitor for Anomalous Browser Behavior - Deploy EDR rules to detect post-exploitation indicators: unexpected child processes spawned by Chrome's renderer, unusual GPU process behavior, and attempts to write outside the browser sandbox.

Google Chrome Releases Blog, NVD (NIST), CISA KEV Catalog, The Hacker News, BleepingComputer, The Register, Help Net Security, SecurityWeek, Malwarebytes, SOC Prime, Menlo Security, Lookout Threat Intelligence, Orca Security, Qualys ThreatPROTECT, Field Effect, CyberSecureFox, Penligent