CVE-2026-2441: Google Chrome Use After Free Vulnerability

CVE-2026-2441 Overview

CVE-2026-2441 is a use-after-free vulnerability in the Cascading Style Sheets (CSS) implementation of Google Chrome prior to version 145.0.7632.75. A remote attacker can execute arbitrary code inside the renderer sandbox by serving a crafted HTML page to a victim browser. The flaw is tracked under [CWE-416: Use After Free] and affects Chrome across Windows, macOS, and Linux. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. A public proof-of-concept is available, which raises the urgency for organizations to deploy the Chrome stable channel update.

Critical Impact

Remote attackers can achieve arbitrary code execution within the Chrome renderer sandbox by luring a user to a malicious web page, enabling browser exploitation that can chain into full system compromise.

Affected Products

• Google Chrome versions prior to 145.0.7632.75 on Windows
• Google Chrome versions prior to 145.0.7632.75 on macOS
• Google Chrome versions prior to 145.0.7632.75 on Linux

Discovery Timeline

• 2026-02-13 - CVE-2026-2441 published to NVD following Google's stable channel update
• 2026-02-23 - Last updated in NVD database

Technical Details for CVE-2026-2441

Vulnerability Analysis

The defect resides in Chrome's Blink CSS engine, which manages style computation, layout, and the lifecycle of style-related objects. A use-after-free condition arises when CSS object references continue to be used after the underlying memory has been released. Attackers manipulate the document and style state through scripted DOM and CSS operations to trigger the dangling pointer dereference. Once the freed memory is reclaimed and shaped by attacker-controlled content, the resulting type confusion can be steered into arbitrary code execution inside the renderer process.

Exploitation is constrained to the renderer sandbox on initial trigger, but use-after-free primitives in Blink are commonly paired with sandbox-escape bugs to achieve host-level execution. Public exploitation activity recorded in the CISA KEV catalog indicates this vector is already being leveraged against unpatched users.

Root Cause

The root cause is improper object lifetime management in CSS processing logic. Specific style-related allocations are released while other code paths still hold references to them, violating the invariants enforced by Blink's garbage collector and reference-counting model. Crafted HTML and CSS sequences are sufficient to drive the engine into this inconsistent state without any privileged interaction.

Attack Vector

The attack vector is network-based and requires user interaction limited to visiting a malicious or compromised web page. No authentication is needed. Attackers can deliver the exploit through phishing links, malvertising, watering-hole compromises, or embedded iframes on otherwise trusted sites. The vulnerability mechanism is documented in the Chromium Issue Tracker Entry, and a working proof of concept is published at the GitHub CVE-2026-2441 PoC.

Detection Methods for CVE-2026-2441

Indicators of Compromise

• Chrome renderer process crashes (chrome.exe child processes) with access violation signatures originating from Blink CSS modules
• Outbound HTTP/HTTPS traffic from browser hosts to newly registered or low-reputation domains hosting HTML payloads with anomalous CSS structures
• Unexpected child processes spawned by chrome.exe, such as cmd.exe, powershell.exe, or scripting hosts, immediately after browsing activity
• Browser telemetry showing version strings below 145.0.7632.75 in active sessions

Detection Strategies

• Inspect endpoint telemetry for Chrome process lineage anomalies and post-exploitation behaviors such as credential access or persistence following a browsing event
• Correlate web proxy logs with endpoint events to identify users who reached suspicious URLs and subsequently produced abnormal browser behavior
• Hunt for crash reports referencing CSS style invalidation, layout, or blink::Style* symbols in Windows Error Reporting or crashpad output

Monitoring Recommendations

• Enforce centralized Chrome version inventory through MDM or configuration management and alert on hosts running builds older than 145.0.7632.75
• Subscribe SOC pipelines to the CISA KEV feed and the Google Chrome Stable Update advisory for follow-on guidance
• Increase logging fidelity on browser host segments handling executive, developer, and administrator workflows where targeted exploitation is most likely

How to Mitigate CVE-2026-2441

Immediate Actions Required

• Update Google Chrome to version 145.0.7632.75 or later on all Windows, macOS, and Linux endpoints
• Restart browser sessions after deployment to ensure the patched binary is loaded into memory
• Audit Chromium-based browsers and embedded WebView components that share the Blink rendering engine and apply vendor updates as they become available
• Prioritize patching for systems exposed to high-risk browsing, including jump hosts, executive workstations, and developer environments

Patch Information

Google released the fix in the Chrome stable channel at version 145.0.7632.75, documented in the Google Chrome Stable Update advisory. The corresponding internal tracking is published in the Chromium Issue Tracker Entry. Confirmation of active exploitation is recorded in the CISA Known Exploited Vulnerability catalog, which mandates federal civilian agencies remediate within the published deadline.

Workarounds

• Block access to untrusted web content through enterprise web filtering and DNS protection until patching is complete
• Restrict execution of unsigned binaries and script interpreters launched as children of chrome.exe using application control policies
• Disable JavaScript on high-risk user groups via Chrome Enterprise policy where business workflows allow, reducing reachability of the CSS code paths

# Verify Chrome version on Linux endpoints across the fleet
google-chrome --version

# Windows: query installed Chrome version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version

# macOS: read CFBundleShortVersionString from the application bundle
defaults read "/Applications/Google Chrome.app/Contents/Info" CFBundleShortVersionString