PoC for Chrome's 0-day vulnerability For CVE-2026-2441, a critical use-after-free zero-day vulnerability in Google Chrome's Blink CSS engine, a public proof-of-concept exploit has been made available This article explores patch vulnerability chrome. . Google acknowledged that this vulnerability is being actively exploited in the wild.

On February 11, 2026, security researcher Shaheen Fazim brought attention to the vulnerability, and two days later, Google released an urgent patch. This vulnerability, which is Chrome's first zero-day of 2026, affects the CSSFontFeatureValuesMap component of the Blink rendering engine. An iterator invalidation flaw in FontFeatureValuesMapIterationSource's storage of a raw pointer (const FontFeatureAliases* aliases_) to an internal FontFeatureAliases HashMap is the primary cause. The HashMap rehashes, allocating new storage and releasing the old block whenever the map is modified during iteration using set() or delete().

The use-after-free condition is triggered when the raw pointer hangs and the FetchNextItem() call that follows reads from freed memory. Google's solution ensures that the iterator runs on a separate, isolated snapshot that is impervious to rehashing by substituting a deep copy of the HashMap for the raw pointer. Vulnerable Fixed Windows/macOS (Stable) < 145.0.7632.75 >= 145.0.7632.75 Linux (Stable) < 144.0.7559.75 >= 144.0.7559.75 Extended Stable Windows/macOS < 144.0.7559.177 >= 144.0.7559.177 Based on chromium (Edge, Brave, Opera, Vivaldi) Examine vendor recommendations regarding PoC mechanics and impact.

Three different approaches are used in the published PoC to trigger the UAF: a requestAnimationFrame-based method that requires a layout recalculation in the middle of an iteration; a for...of loop with concurrent deletion and heap spraying; and an entries() iterator coupled with a mutation loop.

In order to make the heap layout more predictable for exploitation, each method also includes heap grooming by pre-allocating 50 @font-feature-values CSS rules of the same size. Find additional tools for removing malware. Platforms for Linux threat intelligence The renderer process crashes with STATUS_ACCESS_VIOLATION on Windows and SIGSEGV on Linux and macOS on unpatched Chrome versions, indicating that the dangling pointer is accessing freed memory.

The immediate impact is limited to the Chrome renderer sandbox, which allows credential theft via documents, information disclosure through leaked V8 heap pointers for ASLR bypass, and arbitrary code execution within the sandboxed process.access to cookies and local storage, as well as session hijacking via token exfiltration.

This UAF becomes the first link in a complete system compromise chain when chained with a different sandbox escape vulnerability. This pattern has been seen with NSO Pegasus (WebKit UAF), Intellexa Predator, and APT-28's Chrome 0-day campaigns. The vulnerability can be used for spear-phishing, watering hole, and malvertising because it can be exploited through drive-by download, which requires no user action other than visiting a malicious page.

CVE-2026-2441 has been added to the list of known exploited vulnerabilities (KEVs) maintained by the U.S. CISA. Update Chrome to version 145.0.7632.75 or later on Windows and macOS, and 144.0.7559.75 or later on Linux, right away. When vendor patches from Edge, Brave, Opera, and Vivaldi become available, users of chromium-based browsers should install them.

Additionally, administrators should audit all endpoints for out-of-date Chrome deployments and use chrome://flags/#site-isolation-trial-opt-out to confirm that Site Isolation is enabled. They should also check LinkedIn, X, and X for daily cybersecurity updates. To have your stories featured, get in touch with us.