CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CVE-2026-2441: Chrome Zero-Day Exploited in the Wild

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

Google has released a patch for a high-severity use-after-free vulnerability (CVE-2026-2441) in Chrome's CSSFontFeatureValuesMap, which is actively being exploited. The flaw, discovered by Shaheen Fazim, allows remote attackers to execute arbitrary code within a sandbox via crafted HTML pages. Users are advised to update to versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. This is the first actively exploited zero-day in Chrome for 2026, highlighting the ongoing threat of browser-based vulnerabilities. The vulnerability was disclosed to the vendor on February 11, 2026, only two days before it was patched. The flaw can likely be exploited for arbitrary code execution by getting the targeted user to visit a malicious website, although an additional vulnerability is likely needed to escape the sandbox and achieve complete system takeover. The patch was tagged as "cherry-picked" (or backported) across multiple commits, indicating its importance and urgency. The commit message notes that the patch addresses "the immediate problem" but indicates there's "remaining work" tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed. The update was published on February 13, 2026, and accompanied by an advisory on CVE-2026-2441. Google has restricted access to bug details and links until a majority of users are updated with a fix. Google released eight emergency patches for Chrome in 2025 to protect against actively exploited vulnerabilities.

Timeline

  1. 16.02.2026 08:38 4 articles · 16h ago

    CVE-2026-2441 Zero-Day Exploited in the Wild

    Google has patched a high-severity use-after-free vulnerability (CVE-2026-2441) in Chrome's CSSFontFeatureValuesMap, which is actively being exploited. The flaw, discovered by Shaheen Fazim, allows remote attackers to execute arbitrary code within a sandbox via crafted HTML pages. Users are advised to update to the latest versions of Chrome to mitigate the risk. The vulnerability was disclosed to the vendor on February 11, 2026, only two days before it was patched. The flaw can likely be exploited for arbitrary code execution by getting the targeted user to visit a malicious website, although an additional vulnerability is likely needed to escape the sandbox and achieve complete system takeover. The patch was tagged as "cherry-picked" (or backported) across multiple commits, indicating its importance and urgency. The commit message notes that the patch addresses "the immediate problem" but indicates there's "remaining work" tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed. The update was published on February 13, 2026, and accompanied by an advisory on CVE-2026-2441. Google has restricted access to bug details and links until a majority of users are updated with a fix.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Eighth Chrome Zero-Day Vulnerability Patched in 2025

Google has released an emergency update to fix a high-severity zero-day vulnerability (466192044) in Chrome, marking the eighth such flaw exploited in attacks in 2025. The vulnerability, a buffer overflow in the ANGLE's Metal renderer, affects Chrome versions for Windows, macOS, and Linux. Google has not disclosed further details, including the CVE ID, as the issue remains under coordination. The flaw could lead to memory corruption, crashes, sensitive information leaks, and arbitrary code execution. Users are advised to update their browsers to versions 143.0.7499.109 for Windows and Linux, and 143.0.7499.110 for macOS. This update also addresses two additional medium-severity vulnerabilities (CVE-2025-14372 and CVE-2025-14373). Additionally, Google has released patches for three new Chrome zero-day vulnerabilities, including a high-severity one for which an exploit is accessible in the wild. The high-severity zero-day is referred to only by Google’s internal tracker ID, 466192044, with no CVE attributed at this stage. The status of the vulnerability is marked as 'Under coordination.' Access to the details of a vulnerability may be kept restricted until a majority of users are updated with a fix.

Open in new tab

High-Severity Flaws Patched in Firefox 145 and Chrome 142

Mozilla and Google released updates for Firefox and Chrome, addressing multiple high-severity vulnerabilities. Firefox 145 fixes 16 flaws, including nine high-severity issues, while Chrome 142 resolves a critical V8 JavaScript engine flaw. Both updates include improvements to security and functionality.

Open in new tab

Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

Operation ForumTroll, discovered in March 2025, targeted Russian organizations and individuals using a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, delivered malware linked to the Italian spyware vendor Memento Labs. The attacks used phishing emails with malicious links to infect victims, targeting media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia and Belarus. The malware, identified as LeetAgent and Dante, was used to steal data and maintain persistence on compromised systems. Memento Labs, formed after InTheCyber Group acquired Hacking Team, presented its Dante spyware at a conference in 2023. The malware was used in attacks dating back to at least 2022. The attacks involved sophisticated techniques to ensure only targeted victims were compromised. The zero-day vulnerability (CVE-2025-2783) was discovered and reported to Google by researchers at Kaspersky Lab earlier in 2025. The exploit bypassed Chrome's sandbox protections by exploiting a logic vulnerability in Chrome caused by an obscure quirk in the Windows OS. The exploit used pseudo handles to disable sandbox functionality, allowing unauthorized access to privileged processes. The exploit represents a new class of vulnerabilities that could affect other applications and Windows services. The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities. In a new wave of attacks detected in October 2025, the threat actor targeted individuals in Russia, specifically scholars in political science, international relations, and global economics, working at major Russian universities and research institutions. The latest attack wave used emails claiming to be from eLibrary, a Russian scientific electronic library, with messages sent from the address 'support@e-library[.]wiki'. The domain was registered in March 2025, six months before the start of the campaign, indicating preparations for the attack had been underway for some time. The emails contained links to a malicious site to download a plagiarism report, which, when clicked, downloaded a ZIP archive named with the victim's last name, first name, and patronymic. The links were designed for one-time use, displaying a Russian language message stating 'Download failed, please try again later' if accessed more than once. The archive contained a Windows shortcut (LNK) that, when executed, ran a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload contacted a URL to fetch a final-stage DLL and persist it using COM hijacking, also downloading and displaying a decoy PDF to the victim. The final payload was a command-and-control (C2) and red teaming framework known as Tuoni, enabling remote access to the victim's Windows device. ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022.

Open in new tab

Zero-day in Google Chrome exploited in the wild

Google has patched a zero-day vulnerability (CVE-2025-10585) in the Chrome web browser that has been actively exploited in the wild. The vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine. The exploit details, actors involved, and the scale of exploitation remain undisclosed. The flaw is the sixth zero-day in Chrome that has been actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. Google has released security updates to address the vulnerability.

Open in new tab

Type Confusion Vulnerabilities in Chrome's V8 Engine Exploited in the Wild

Google has released security updates for Chrome to address a zero-day vulnerability (CVE-2025-13223) in the V8 JavaScript and WebAssembly engine. This type confusion flaw is being actively exploited in the wild, posing a risk to millions of users. The update is available for Windows, macOS, and Linux. Users of other Chromium-based browsers should also apply the fixes as soon as they are available. The flaw was discovered and reported by Clément Lecigne of Google's Threat Analysis Group (TAG) on November 12, 2025. Type confusion vulnerabilities can lead to arbitrary code execution and program crashes. Google has not disclosed specific details about the exploitation to prevent further abuse. This is the seventh zero-day vulnerability in Chrome that has been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.

Open in new tab