Google has released an emergency fix for a Chrome vulnerability that has already been exploited in the wild — the first of its kind to have been reported this year.
Security updates for its Chrome browser were released on Friday for the flaw — first reported by security researcher Shaheen Fazim on Wednesday (11 February).
The high-severity vulnerability is tracked as CVE-2026-2441 (CVSS score: 8.8), and has been described as a use-after-free bug in CSS.
A use-after-free bug in the browser's CSS rendering component allowed a remote attacker to execute arbitrary code within a sandbox via a crafted HTML page, according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
Although Google found evidence of attackers exploiting this zero-day flaw in the wild, it did not share additional details regarding these incidents.
Google has now fixed this vulnerability for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (145.0.7632.75/76), and Linux users (144.0.7559.75) worldwide over the coming days or weeks.
Last year Google addressed a total of eight zero-days abused in the wild and the latest news highlights how browser-based flaws are an attractive target for bad actors, given that they are installed everywhere and expose a broad attack surface.
Researchers in Google’s Threat Intelligence Group report, note that North Korean threat actors exploited two zero-day vulnerabilities in Chrome in 2024.
Last month Google fixed a vulnerability (not yet exploited in the wild) in the new Chrome versions 143.0.7499.192/193 for Windows and macOS and 143.0.7499.192 for Linux.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked