Chrome CSS use-after-free security flaw (CVE-2026-2441)
Vulnerability
Summary
Hide ▲
Show ▼
Chrome is being patched for CVE-2026-2441, a high-severity use-after-free zero-day in the browser’s CSS component that was exploited in the wild. The emergency fix affects Windows, Mac, and Linux builds, and the flaw could let a user be lured to a malicious website that triggers browser code execution. Even with the browser sandbox in place, the bug raises risk of session theft, data theft, and further attacks.
Related Happenings
Chromium JavaScript background RCE flaw
Vulnerability
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Google overhauls Android and Chrome bug bounty programs
Commercial Activity
First: 05.05.2026 14:24
Last: 05.05.2026 14:24
Sources 1
About this happening:
**Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Google overhauls Android and Chrome bug bounty programs
Commercial ActivityAbout this happening: **Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
Vulnerability
First: 01.04.2026 13:25
Last: 01.04.2026 13:25
Sources 1
About this happening:
**Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
VulnerabilityAbout this happening: **Google Chrome Stable Desktop** on **Windows, macOS, and Linux** is getting an **emergency fix** for **CVE-2026-5281**, a **use-after-free** flaw in **Dawn/WebGPU**. Google says...
Mozilla Firefox 149 adds a built-in VPN privacy control with phased rollout
Security Tool/Service
First: 24.03.2026 19:23
Last: 24.03.2026 19:23
Sources 1
About this happening:
**Mozilla Firefox 149** now includes a **built-in VPN tool** that adds browser-level privacy protection and can help hide a user's **location and IP address** while browsing. The...
Mozilla Firefox 149 adds a built-in VPN privacy control with phased rollout
Security Tool/ServiceAbout this happening: **Mozilla Firefox 149** now includes a **built-in VPN tool** that adds browser-level privacy protection and can help hide a user's **location and IP address** while browsing. The...
Timeline
-
16.02.2026 09:54 2 articles · 3mo ago
Shaheen Fazim reports CVE-2026-2441 to Google
Initial DisclosureShaheen Fazim reported CVE-2026-2441 to Google on February 11, identifying a high-severity use-after-free vulnerability in Chrome’s CSS component. Google later credited the researcher for responsibly disclosing the flaw.
Show sources
- Google Patches First Actively Exploited Chrome Zero-Day of 2026 — www.securityweek.com — 16.02.2026 09:54
- CISA Flags Four Security Flaws Under Active Exploitation in Latest KEV Update — thehackernews.com — 18.02.2026 08:52
-
16.02.2026 09:54 1 articles · 3mo ago
Google ships emergency Chrome fix for CVE-2026-2441
Mitigation Patch UpdateGoogle released emergency Chrome builds 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux on February 16 to fix CVE-2026-2441 after confirming that an exploit exists in the wild. Google warned that a malicious website could trigger browser code execution, with sandbox escape likely requiring an additional vulnerability.
Show sources
- Google Patches First Actively Exploited Chrome Zero-Day of 2026 — www.securityweek.com — 16.02.2026 09:54