Google released emergency updates to fix a high-severity Chrome zero-day, CVE-2026-2441, that has been exploited in the wild. The vulnerability is a use-after-free caused by an iterator invalidation in CSSFontFeatureValuesMap, and Google backported fixes to Stable Desktop releases for Windows, macOS, and Linux while noting further related work remains. #CVE-2026-2441 #Chrome
Keypoints
- Google confirmed an in-the-wild exploit for CVE-2026-2441.
- The flaw is a use-after-free caused by an iterator invalidation in CSSFontFeatureValuesMap.
- Fixes were cherry-picked into stable releases and are rolling out to Windows, macOS (145.0.7632.75/76), and Linux (144.0.7559.75).
- Google withheld detailed exploit information until a majority of users receive the update.
- The patch addresses the immediate issue but additional related work is tracked in bug 483936078.