Google released a security advisory to address a high-severity zero-day vulnerability in Chrome. Tracked as CVE-2026-2441, the vulnerability is being exploited in the wild.
The vulnerability is a use-after-free flaw in the CSS browser’s CSS handling. An independent researcher, Shaheen Fazim, discovered and reported the vulnerability to Google on February 11, 2026.
Use-after-free flaws often stem from improper object lifecycle management in rendering engines, allowing freed memory to be accessed after deallocation.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 10, 2026.
Affected Versions
The vulnerability affects Google Chrome versions before 145.0.7632.75/76.
Mitigation
Customers must upgrade to the latest stable channel version 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux.
For more information, please refer to the Google Chrome Release Page.
Microsoft has released the Microsoft Edge Stable Channel (Version 145.0.3800.58) to address CVE-2026-2441, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 386573 and 386589 to detect vulnerable assets.
Rapid Response with TruRisk™ Eliminate
Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html
