Google has released an emergency security update to patch a high-severity Chrome vulnerability that is already being exploited in zero-day attacks.
This marks the first actively exploited Chrome flaw fixed by Google since the beginning of 2026.
In a security advisory issued on Friday, Google confirmed that an exploit for CVE 2026 2441 exists in the wild. The vulnerability is a use-after-free bug caused by an iterator invalidation issue in CSSFontFeatureValuesMap, which is part of Chrome’s implementation of CSS font feature values. The flaw was reported by security researcher Shaheen Fazim.
If successfully exploited, the vulnerability could allow attackers to trigger browser crashes, rendering problems, data corruption, or other unpredictable behavior. While Google has not shared specific details about real-world attacks, the company confirmed that it has seen evidence of active exploitation.
According to the Chromium commit history, the patch fixes what Google described as the immediate problem. However, the commit also mentions that additional related work is still being tracked under a separate bug ID, suggesting that further improvements or fixes may follow. The update was cherry-picked and backported into the stable version, a strong indication of its urgency.
Google has now rolled out the fix to the Stable Desktop channel. Updated versions include Chrome 145.0.7632.75 and 145.0.7632.76 for Windows and macOS, and version 144.0.7559.75 for Linux users. The update is being gradually released worldwide and may take several days or weeks to reach all users.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
