A public proof-of-concept exploit has been released for CVE-2026-2441, a critical use-after-free zero-day vulnerability in Google Chrome’s Blink CSS engine that Google confirmed is being actively exploited in the wild.
Security researcher Shaheen Fazim reported the flaw on February 11, 2026, and Google issued an emergency patch just two days later.
Classified as Chrome’s first zero-day of 2026, the vulnerability exists in the CSSFontFeatureValuesMap component within Chrome’s Blink rendering engine.
The root cause is an iterator invalidation flaw where FontFeatureValuesMapIterationSource stores a raw pointer (const FontFeatureAliases* aliases_) to an internal FontFeatureAliases HashMap.
When the map is mutated during iteration via set() or delete() the HashMap rehashes, allocating new storage and freeing the old block. The raw pointer becomes dangling, and the subsequent FetchNextItem() call reads from freed memory, triggering the use-after-free condition.
Google’s fix replaces the raw pointer with a deep copy of the HashMap, ensuring the iterator operates on its own isolated snapshot immune to rehashing.
| Platform | Vulnerable | Fixed |
|---|---|---|
| Windows / macOS (Stable) | < 145.0.7632.75 | >= 145.0.7632.75 |
| Linux (Stable) | < 144.0.7559.75 | >= 144.0.7559.75 |
| Windows / macOS (Extended Stable) | < 144.0.7559.177 | >= 144.0.7559.177 |
| Chromium-based (Edge, Brave, Opera, Vivaldi) | Check vendor advisory | Varies |
PoC Mechanics and Impact
The published PoC triggers the UAF through three distinct methods: an entries() iterator combined with a mutation loop, a for...of loop with concurrent deletion and heap spraying, and a requestAnimationFrame-based technique that forces a layout recalculation mid-iteration.
Each method also incorporates heap grooming by pre-allocating 50 same-sized @font-feature-values CSS rules to increase the predictability of heap layout for exploitation.
On unpatched Chrome versions, the renderer process crashes with STATUS_ACCESS_VIOLATION on Windows or SIGSEGV on Linux and macOS, confirming the dangling pointer accesses freed memory.
The immediate impact is confined to the Chrome renderer sandbox, enabling arbitrary code execution within the sandboxed process, information disclosure through leaked V8 heap pointers for ASLR bypass, and credential theft via document.cookie and localStorage access, and session hijacking through token exfiltration.
When chained with a separate sandbox escape vulnerability, this UAF becomes the first link in a full system compromise chain, a pattern previously observed with NSO Pegasus (WebKit UAF), Intellexa Predator, and APT-28’s Chrome 0-day campaigns.
The vulnerability is exploitable via drive-by download, requiring no user interaction beyond visiting a malicious page, making it suitable for malvertising, watering hole, and spear-phishing delivery.
The U.S. CISA has added CVE-2026-2441 to its Known Exploited Vulnerabilities (KEV) catalog. Users must immediately update Chrome to version 145.0.7632.75 or later on Windows and macOS, and 144.0.7559.75 or later on Linux.
Chromium-based browser users should apply vendor patches from Edge, Brave, Opera, and Vivaldi as they become available. Administrators should also verify that Site Isolation is enabled via chrome://flags/#site-isolation-trial-opt-out and audit all endpoints for outdated Chrome deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
