Chrome's First Zero-Day of 2026 Is Already Being Exploited — Update Now

And just like that, Chrome's zero-day clock resets.

Google dropped emergency security updates on Friday to patch CVE-2026-2441, a high-severity vulnerability that attackers are already actively exploiting in the wild. If you're running Chrome, Edge, Brave, Opera, Vivaldi, or any other Chromium-based browser, this one needs your attention right now.

The flaw itself is a use-after-free bug hiding in Chrome's CSS handling code. For the non-technical folks, use-after-free vulnerabilities occur when a program tries to use memory after it's already been freed, creating a window where attackers can slip in their own malicious code. In this case, a carefully crafted HTML page is all it takes for a remote attacker to execute arbitrary code inside Chrome's sandbox. The CVSS score sits at 8.8, firmly in "high severity" territory and just a hair below critical.

Security researcher Shaheen Fazim discovered the vulnerability on February 11th and reported it to Google, who moved quickly to push out a fix. What Google hasn't revealed is who's doing the exploiting, who's being targeted, or what the attacks look like in practice. The company's statement was characteristically sparse, simply acknowledging that "an exploit for CVE-2026-2441 exists in the wild." Classic Google: all business, no details.

This marks the first actively exploited Chrome zero-day of 2026, though given last year's track record, it probably won't be the last. In 2025 alone, Google patched eight zero-day flaws in Chrome that were either being actively exploited or had public proof-of-concept code floating around. Browser vulnerabilities remain prime real estate for attackers because browsers are installed on virtually every device and present an enormous attack surface. Your browser touches everything from banking to email to corporate applications, making it a gateway worth targeting.

The timing is notable too. Just last week, Apple rushed out patches across its entire ecosystem to address CVE-2026-20700, a zero-day that was being used in what Apple described as an "extremely sophisticated attack" targeting specific individuals running older iOS versions. When both Google and Apple are scrambling to patch actively exploited flaws within days of each other, it's a good reminder that the threat landscape isn't slowing down.

Getting protected is straightforward. Windows and macOS users need Chrome version 145.0.7632.75 or 145.0.7632.76, while Linux users should update to 144.0.7559.75. You can check your version and trigger an update by clicking the three-dot menu, navigating to Help, then About Google Chrome, and letting the browser do its thing. A relaunch will be required to complete the update.

If you're running a different Chromium-based browser, don't assume you're safe. Edge, Brave, Opera, and Vivaldi all share Chrome's underlying engine, which means they inherit its vulnerabilities too. Keep an eye out for updates from your browser vendor and apply them as soon as they drop.

For organizations, this is a good moment to verify that browser updates are being pushed automatically across your fleet. A single unpatched endpoint running an out-of-date browser is all it takes to give attackers their initial foothold.