Threat actors now have the ability to exploit a new zero-day vulnerability in the Chrome browser, Google has advised IT administrators.
The warning comes after Google released a patch for Chrome to plug a post-use free memory vulnerability (CVE-2026-2441) in cascading style sheets (CSS), which means the browser’s CSS engine doesn’t manage memory well and could be exploited by a hacker.
If not patched, it allows a remote attacker to execute arbitrary code inside a sandbox using a crafted HTML page. Vulnerability is rated in high severity.
Vulnerable Windows and Mac Chrome browsers before 145.0.7632.75/76, and before 144.0.7559.75 for Linux.
“Google is aware that the CVE-2026-2441 exploit exists in the wild,” the warning added.
Details about the pit are scarce. Google says that access to bug details and links may be restricted until the majority of users are updated with a fix. It will also maintain restrictions if a bug exists in a third-party library that other projects similarly depend on, but have not yet fixed.
Gene Moody, field CTO at Action1, explained that, in this vulnerability, the browser frees the object, but later continues to use the memory location of the old reference. Any attacker who can shape the heap structure with controlled contents may replace the contents of that freed memory with data they control. Because this is always in the renderer, and accessible through standard page content, he said, the configuration space is almost perfect.
“In practical terms,” he added, “a vulnerable user visiting a malicious page is not enough to trigger a bug.”
Hunting and exploiting browser vulnerabilities is a popular tool for malicious actors. That’s because browsers are often the entry point for businesses, especially in the era of cloud applications. Browsers not only access company data, they carry sensitive information such as login credentials and personal data stored in auto-fill forms.
Usually, browsers ship with the default patcher enabled by default. Some CSOs/CIOs, however, may prefer manual installation, so patches can be tested for compatibility with business applications before installation.
Johannes Ullrich, director of research at the SANS Institute, said that this is the latest date for Chrome 0 to be discovered, and, based on history, there are probably many others already in use that have not been discovered or patched until now.
“Having a strong system to monitor storage facilities can reduce some of this risk,” he said. For business administrators, Google offers Chrome Enterprise Core, which adds the tool needed to monitor browser versions and release upgrades. Chrome Enterprise Core also adds centralized management of extensions. Malicious extensions are often a bigger problem than 0 days.”
Browsers are very complex systems that support a large number of technologies, he added, and include legacy standards with limited current support.
“The open source Chromium browser codebase includes about 36 million lines of code,” he said. “A large project like this will inevitably involve risks. Google has implemented a number of automation tools to continue to reduce the number of risks, but adversaries do the same, and sometimes they find bugs that Google hasn’t discovered or gotten around to actively documenting.”
The days of the browser have never been better, because it’s a no-brainer for criminals to use poison ads to try to direct victims with vulnerable browsers to websites with malicious code, said David Shipley, head of Canadian security awareness training provider Beauceron Security.
“At this point, it looks like this is just a minor fix for an ongoing vulnerability, and Google is tight-lipped about how bad this bug was, and all the things that could have been used to bypass the browser crash and corrupt data. But given that there is something going on in the wild, and Google says it’s waiting until most users are patched before getting clear details about this.”
Finding business browsers isn’t as easy as it should be, he added, and often involves expensive tools or complex workflows that many smaller organizations don’t have.
Google, however, provides extensive advice to administrators on managing Chrome updates.
