If you use Google Chrome, you should install the latest update ASAP. Google has issued a patch for a high-severity flaw that has been actively exploited in the wild—the first Chrome zero-day in 2026.
What the Google Chrome patch fixes
The latest flaw, catalogued as CVE-2026-2441 , is a use-after-free vulnerability in CSSFontFeatureValuesMap, Chrome’s CSS font feature implementation. A use-after-free vulnerability is a flaw in which an application attempts to use memory after it has been released back to the system. This type of bug allows attackers to execute code, escalate privileges, cause app or system crashes, and leak sensitive data.
CVE-2026-2441 would allow “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.” Essentially, this means malicious HTML content could run code inside a Chrome tab, extension, or plugin. As Malwarebytes explains , this is dangerous because attackers can see or modify whatever the isolated browser tab (sandbox) can access, allowing actions like credential harvesting and traffic rerouting—even if it cannot escape to impact the whole operating system.
Google said that this vulnerability has been exploited in the wild but hasn’t provided any specific details as to how. The discovery has been attributed to Shaheen Fazim.
What Chrome users need to do
Google released a Stable channel update on Feb. 13 with a patch for this flaw. The latest versions of Chrome are 145.0.7632.75/76 for Windows and macOS and 144.0.7559.75 for Linux, so you’ll want to ensure you are up to date. Go to the Chrome menu and select About Google Chrome to check which version you’re on.
Chrome updates automatically when you close and reopen the browser, but if you don’t do that regularly, keep an eye out for pending updates in the top-right corner of your browser window. Apply these updates immediately by tapping the three dots and selecting the first menu item. Chrome will need to restart to complete the update.
