Chrome CSS use-after-free security flaw (CVE-2026-2441)
Vulnerability
Summary
Hide ▲
Show ▼
Chrome is being patched for CVE-2026-2441, a high-severity use-after-free zero-day in the browser’s CSS component that was exploited in the wild. The emergency fix affects Windows, Mac, and Linux builds, and the flaw could let a user be lured to a malicious website that triggers browser code execution. Even with the browser sandbox in place, the bug raises risk of session theft, data theft, and further attacks.
Related Happenings
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
Vulnerability
H score45
First: 09.06.2026 09:56
Last: 09.06.2026 09:56
Sources 1
About this happening:
**Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
VulnerabilityAbout this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Chromium JavaScript background RCE flaw
Vulnerability
H score16
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Google overhauls Android and Chrome bug bounty programs
Commercial Activity
H score0
First: 05.05.2026 14:24
Last: 05.05.2026 14:24
Sources 1
About this happening:
**Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Google overhauls Android and Chrome bug bounty programs
Commercial ActivityAbout this happening: **Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
H score11
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
Vulnerability
H score1
First: 01.04.2026 13:25
Last: 01.04.2026 13:25
Sources 1
About this happening:
**Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
VulnerabilityAbout this happening: **Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Timeline
-
16.02.2026 09:54 2 articles · 4mo ago
Shaheen Fazim reports CVE-2026-2441 to Google
Initial DisclosureShaheen Fazim reported CVE-2026-2441 to Google on February 11, identifying a high-severity use-after-free vulnerability in Chrome’s CSS component. Google later credited the researcher for responsibly disclosing the flaw.
Show sources
- Google Patches First Actively Exploited Chrome Zero-Day of 2026 — www.securityweek.com — 16.02.2026 09:54
- CISA Flags Four Security Flaws Under Active Exploitation in Latest KEV Update — thehackernews.com — 18.02.2026 08:52
-
16.02.2026 09:54 1 articles · 4mo ago
Google ships emergency Chrome fix for CVE-2026-2441
Mitigation Patch UpdateGoogle released emergency Chrome builds 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux on February 16 to fix CVE-2026-2441 after confirming that an exploit exists in the wild. Google warned that a malicious website could trigger browser code execution, with sandbox escape likely requiring an additional vulnerability.
Show sources
- Google Patches First Actively Exploited Chrome Zero-Day of 2026 — www.securityweek.com — 16.02.2026 09:54