CVE-2026-2441
published 2026-02-13CVE-2026-2441: Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page…
PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-10
Exploited in the wild
EPSS
22.02%
97.4th percentile
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 145.0.7632.75-1~deb12u1 | 145.0.7632.75-1~deb12u1 |
| chromium | chromium | >= 0 < 145.0.7632.75-1~deb13u1 | 145.0.7632.75-1~deb13u1 |
| chromium | chromium | >= 0 < 145.0.7632.75-1 | 145.0.7632.75-1 |
| debian | chromium | < chromium 145.0.7632.75-1~deb12u1 (bookworm) | chromium 145.0.7632.75-1~deb12u1 (bookworm) |
| chrome | < 145.0.7632.75 | 145.0.7632.75 | |
| chrome | < 145.0.7632.76 | 145.0.7632.76 | |
| chrome | >= 145.0.7632.75 < 145.0.7632.75 | 145.0.7632.75 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·The vulnerability affects Google Chrome prior to 145.0.7632.75 (Windows/macOS) and 144.0.7559.75 (Linux); Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and downstream packages (chromium-qt6-ui, qt6-qtwebengine) are also affected and require separate patching. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xpp8-qpcr-c3rg: Use after free in CSS in Google Chrome prior to 145
ghsa_unreviewed·2026-02-13
CVE-2026-2441 [HIGH] CWE-416 GHSA-xpp8-qpcr-c3rg: Use after free in CSS in Google Chrome prior to 145
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2026-2441: Use after free in CSS in Google Chrome prior to 145
osv·2026-02-13·CVSS 8.8
CVE-2026-2441 [HIGH] CVE-2026-2441: Use after free in CSS in Google Chrome prior to 145
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium CSS Use-After-Free Vulnerability
vulncheck·2026·CVSS 8.8
CVE-2026-2441 [HIGH] CWE-416 Google Chromium CSS Use-After-Free Vulnerability
Google Chromium CSS Use-After-Free Vulnerability
Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/site
Palo Alto
PAN-SA-2026-0003 Chromium: Monthly Vulnerability Update (March 2026)
vendor_paloalto·2026-03-11·CVSS 8.8
[HIGH] PAN-SA-2026-0003 Chromium: Monthly Vulnerability Update (March 2026)
PAN-SA-2026-0003 Chromium: Monthly Vulnerability Update (March 2026)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_12.html https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_10.html CVE Summary CVE-2026-2314 Heap buffer overflow in Codecs CVE-2026-2317 Inappropriate implementation in Animation CVE
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2026-2441
vendor_chrome·2026-02-27·CVSS 8.8
CVE-2026-2441 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2026-2441
Long Term Support Channel Update for ChromeOS
CVE-2026-2441
CISA
Google Chromium CSS Use-After-Free Vulnerability
cisa·2026-02-17·CVSS 8.8
CVE-2026-2441 [HIGH] CWE-416 Google Chromium CSS Use-After-Free Vulnerability
Vulnerability: Google Chromium CSS Use-After-Free Vulnerability
Affected: Google Chromium
Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-2441
Remediation Due Date: 2026-03-10
Red Hat
chromium-browser: Use after free in CSS
vendor_redhat·2026-02-13·CVSS 8.8
CVE-2026-2441 [HIGH] chromium-browser: Use after free in CSS
chromium-browser: Use after free in CSS
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
An use after free flaw was found in the CSS component of the Chromium browser.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Microsoft
Chromium: CVE-2026-2441 Use after free in CSS
vendor_msrc·2026-02-10·CVSS 8.8
CVE-2026-2441 [HIGH] Chromium: CVE-2026-2441 Use after free in CSS
Chromium: CVE-2026-2441 Use after free in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2026-2441 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
C
Debian
CVE-2026-2441: chromium - Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote a...
vendor_debian·2026·CVSS 8.8
CVE-2026-2441 [HIGH] CVE-2026-2441: chromium - Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote a...
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 145.0.7632.75-1~deb12u1)
bullseye: open
forky: resolved (fixed in 145.0.7632.75-1)
sid: resolved (fixed in 145.0.7632.75-1)
trixie: resolved (fixed in 145.0.7632.75-1~deb13u1)
No detection rules found.
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Bleepingcomputer
Google patches new Chrome zero-day flaw exploited in the wild
blogs_bleepingcomputer·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Google patches new Chrome zero-day flaw exploited in the wild
## Google patches new Chrome zero-day flaw exploited in the wild
## Sergiu Gatlan
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.
This high-severity zero-day vulnerability ( CVE-2026-11645 ) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.
Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing s
Hackernews
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine.
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Datab
Bleepingcomputer
Google fixes fourth Chrome zero-day exploited in attacks in 2026
blogs_bleepingcomputer·2026-04-01·CVSS 8.8
[HIGH] Google fixes fourth Chrome zero-day exploited in attacks in 2026
## Google fixes fourth Chrome zero-day exploited in attacks in 2026
## Sergiu Gatlan
Attackers can exploit this Dawn security flaw to trigger web browser crashes, data corruption, rendering issues, or other abnormal behavior.
While Google has found evidence that threat actors were exploiting this zero-day flaw in the wild, it did not share details about these incidents.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company noted.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux
Hackernews
New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
blogs_hackernews·2026-04-01·CVSS 8.8
CVE-2026-5281 [HIGH] New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn , an open-source and cross-platform implementation of the WebGPU standard.
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a de
Bleepingcomputer
Google fixes two new Chrome zero-days exploited in attacks
blogs_bleepingcomputer·2026-03-13·CVSS 8.8
CVE-2026-3910 [HIGH] Google fixes two new Chrome zero-days exploited in attacks
## Google fixes two new Chrome zero-days exploited in attacks
## Sergiu Gatlan
The second one (CVE-2026-3910) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
While Google says the out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates earlier today.
If you don't want to update your web browser manually, you can also have it check for updates automatically and install them at the next launch.
Although Google fo
Bleepingcomputer
Google Chrome shifts to two-week release cycle for increased stability
blogs_bleepingcomputer·2026-03-03·CVSS 8.8
[HIGH] Google Chrome shifts to two-week release cycle for increased stability
## Google Chrome shifts to two-week release cycle for increased stability
## Bill Toulas
However, the Dev and Canary channels for early development and testing will continue on the current schedule. Also, the ‘Extended Stable’ branch will remain on its existing eight-week cycle for enterprise customers who need longer update timelines.
Google says the smaller, more frequent releases will reduce disruption and simplify debugging while maintaining stability due to recent process improvements.
“While releases will be more frequent, their smaller scope minimizes disruption and simplifies post-release debugging,” Google says in a press release.
“And thanks to recent process enhancements, we are confident this shift will maintain our high standards for stability.”
For Chrome users, the imp
Checkpoint
23rd February – Threat Intelligence Report
blogs_checkpoint·2026-02-23
CVE-2023-27532 23rd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
France’s Ministry of Economy has disclosed a data breach resulted from an unauthorized access to the national bank account registry FICOBA, impacting information tied to 1.2 million accounts. Exposed data includes names, addresses, account identifiers and, in some cases, tax-related identifiers. Officials said the intrus
Bleepingcomputer
Google patches first Chrome zero-day exploited in attacks this year
blogs_bleepingcomputer·2026-02-16·CVSS 8.8
CVE-2026-2441 [HIGH] Google patches first Chrome zero-day exploited in attacks this year
## Google patches first Chrome zero-day exploited in attacks this year
## Sergiu Gatlan
The commit message also notes that the CVE-2026-2441 patch addresses "the immediate problem" but indicates there's "remaining work" tracked in bug 483936078 , suggesting this might be a temporary fix or that related issues still need to be addressed.
The patch was tagged as "cherry-picked" (or backported) across multiple commits, indicating that it was important enough to include in a stable release rather than waiting for the next major version (likely because the vulnerability is being exploited in the wild).
Although Google found evidence of attackers exploiting this zero-day flaw in the wild, it did not share additional details regarding these incidents.
"Access to bug details and links may be
Wiz
CVE-2026-2441 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-2441 [HIGH] CVE-2026-2441 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2441 :
vulnerability analysis and mitigation
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Source : NVD
## 8.8
Score
Published February 13, 2026
Severity HIGH
CNA Score 8.8
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 42.4
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
chromium-qt6-ui
qt6-qtwebengine
Sources
Alpine 3.23, edge Severity HIGH Has Fix Added at: Feb 15, 2026
Chainguard Has Fix Added at: Mar 02, 2026
Debian 11 Severity HIGH No Fix Added at: Feb 15, 2026
Debian 12, 13, 14 Severity HIGH Has
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
# February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
- Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
- Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
- APT28 exploits MSHTML
2026-02-13
Published
2026-02-17
Added to CISA KEV
Exploited in the wild