Google has patched a high‑severity zero‑day vulnerability in Chrome that was being actively exploited in the wild. The flaw, tracked as CVE‑2026‑2441, is a “use after free” bug in the browser’s CSS component.
A “use after free (UAF)” bug occurs when a program continues to access memory after it has already been freed or deallocated.
In simple terms, it’s like checking out of a hotel room but still using the key to walk in and out. That memory space may now be reused by something else, and attackers can exploit this confusion to corrupt data, crash the program, or even run malicious code. Browsers like Chrome, written in memory‑unsafe languages such as C++, are particularly vulnerable to this type of flaw.
According to Google, the bug allowed attackers to execute arbitrary code inside Chrome’s sandbox simply by tricking users into opening a crafted HTML page. With a severity score of 8.3 out of 10, the issue ranks as one of the more dangerous vulnerabilities patched so far this year.
The fix is included in Chrome versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux.
If you haven’t disabled automatic updates, restarting Chrome should be enough to apply the patch. For those who manage updates manually, you can check by clicking the three dots in the top‑right corner, navigating to Help > About Google Chrome, and letting the browser download the latest version.
Google confirmed that exploits for CVE‑2026‑2441 were already circulating. However, the company withheld details about victims, attack methods, or threat actors until more users have updated, in order to prevent copycat attacks.
This marks the first zero‑day patch of 2026. For context, a zero-day patch is an emergency patch applied outside the regular patching and maintenance schedule. Last year, Google patched eight zero‑days in Chrome, many of which were linked to state‑sponsored groups. The company’s quick response underscores how critical browser security has become, especially as Chrome remains the most widely used browser worldwide.
One piece of advice as you’re finishing reading this article: update now. Even if you don’t notice anything unusual, running an outdated version of Chrome leaves you exposed to potential attacks. Since the exploit only requires visiting a malicious webpage, the risk is significant.
Security researchers stress that zero‑day vulnerabilities in browsers are among the most valuable tools for attackers, because they can be deployed silently and at scale.
