Google Releases Emergency Patch For First Chrome Zero-Day Exploit of 2026

Google has issued an urgent security update for its Chrome browser to address a high-severity vulnerability that has already been exploited in real-world attacks, marking the first confirmed zero-day flaw patched by the company in 2026.

The vulnerability, tracked as CVE-2026-2441, with a CVSS 8.8 was identified as a use-after-free memory issue within Chrome’s handling of advanced font rendering features. According to Google, evidence suggests attackers were actively exploiting the flaw before a fix was made available, prompting a rapid response and accelerated patch rollout.

NIST Vulnerability Database details the vulnerability as follows:

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

In a security advisory, Google confirmed it was aware of “an exploit… in the wild,” a designation reserved for vulnerabilities already being used by attackers rather than theoretical threats.

The bug was discovered by security researcher Shaheen Fazim and affects a component known as CSSFontFeatureValuesMap, part of Chrome’s implementation of modern web font features. This system allows developers to control how fonts behave and render on webpages.

At its core, the issue stems from an iterator invalidation bug, a type of programming error that can lead to memory being accessed after it has already been freed. Such flaws—commonly referred to as use-after-free vulnerabilities—are particularly dangerous because they can enable attackers to manipulate memory in unpredictable ways.

Successful exploitation could result in:

• Browser crashes or instability
• Visual rendering glitches
• Data corruption
• Potential execution of malicious code under certain conditions

Google’s internal Chromium development logs indicate that the fix addresses what engineers described as “the immediate problem.” However, the same notes reference ongoing work under a separate bug tracking ID, suggesting that related issues may still exist or that the fix is only partial.

This has raised the possibility that:

• Additional patches may follow
• Variants of the vulnerability could still be under investigation
• The affected code area may require deeper refactoring

The urgency of the situation is underscored by Google’s decision to “cherry-pick” the patch—backporting it directly into stable versions rather than waiting for a future major release. This is a common practice when a flaw is actively exploited and poses immediate risk to users.

As is standard practice in zero-day cases, Google has withheld detailed technical information about the attacks. The company said access to bug details will remain restricted until a majority of users have installed the update.

This approach is designed to:

• Prevent threat actors from reverse-engineering the vulnerability
• Reduce the likelihood of copycat attacks
• Give defenders time to deploy mitigations

In some cases, restrictions may also remain if third-party software components are affected and have not yet been patched.

The fix is being rolled out to Chrome users across all major desktop platforms via the Stable channel. Updated versions include:

• Windows & macOS: 145.0.7632.75 / 145.0.7632.76
• Linux: 144.0.7559.75

Google said the update will reach users globally over the coming days and weeks. Users can manually check for updates via Chrome’s settings or allow the browser to update automatically upon restart.

While this is the first actively exploited Chrome zero-day patched in 2026, it follows a pattern observed in previous years. In 2025, Google addressed eight zero-day vulnerabilities, many of which were linked to targeted surveillance campaigns.

Several of those flaws were identified by Google’s Threat Analysis Group (TAG), which specializes in tracking sophisticated cyber operations, including spyware attacks aimed at journalists, activists, and other high-risk individuals.

Modern browser vulnerabilities are especially valuable to attackers because:

• Browsers are widely used and constantly exposed to untrusted content
• Exploits can often be delivered through malicious websites
• Successful attacks may not require user interaction beyond visiting a page

We strongly recommend installing the latest Chrome update as soon as it becomes available. Delaying updates could leave systems exposed to ongoing exploitation attempts.

Users of other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also install updates as soon as they are released.

As zero-day vulnerabilities continue to play a central role in advanced cyberattacks, rapid patching and user awareness remain critical defenses in an increasingly complex threat landscape.