Chrome's First Zero-Day of 2026 Is Already Here — Update Now

Google kicked off 2026's zero-day tally on Friday, releasing emergency updates to patch a high-severity vulnerability in Chrome that attackers are already exploiting in the wild. If you haven't updated your browser recently, now would be an excellent time.

The flaw, tracked as CVE-2026-2441, is a use-after-free vulnerability in CSSFontFeatureValuesMap, Chrome's implementation of CSS font feature values. Security researcher Shaheen Fazim discovered and reported the bug, which stems from an iterator invalidation issue. When exploited successfully, attackers can trigger browser crashes, rendering issues, data corruption, or what Google vaguely describes as "other undefined behavior." In security terms, "undefined behavior" usually means "bad things the vendor doesn't want to spell out."

Google confirmed the vulnerability is being actively exploited but declined to share details about the attacks. The company's standard practice is to restrict access to bug details until most users have updated, and that policy extends further when the vulnerability affects third-party libraries that other projects depend on. Translation: they're keeping quiet until the patch has had time to propagate.

The Chromium commit history reveals something interesting about this fix. The patch was tagged as cherry-picked across multiple commits, meaning Google considered it important enough to backport into a stable release rather than wait for the next major version. The commit message notes that while the patch addresses "the immediate problem," there's "remaining work" being tracked separately. This suggests the current fix might be a temporary measure while engineers work on a more comprehensive solution.

Google has pushed the fix to users in the Stable Desktop channel. Windows and macOS users should update to version 145.0.7632.75 or 145.0.7632.76, while Linux users need version 144.0.7559.75. The rollout happens gradually over days or weeks, but you can speed things up by manually checking for updates in Chrome's settings. Alternatively, just restart your browser and let it handle things automatically.

For context, this is the first actively exploited Chrome zero-day patched in 2026, but last year saw eight such vulnerabilities fixed. Many of those were discovered by Google's own Threat Analysis Group, which specializes in tracking zero-days used in spyware attacks targeting high-risk individuals like journalists, dissidents, and government officials. Whether CVE-2026-2441 falls into that category remains unclear, but the rapid response suggests Google isn't taking chances.

The affected component, CSS font feature values, might sound obscure, but that's precisely what makes browser vulnerabilities dangerous. Users don't need to do anything unusual to trigger them. Simply visiting a malicious webpage that exploits the flaw could be enough. The attack surface is everyone who browses the web, which is to say, everyone.

Update Chrome. Do it now. The attackers certainly aren't waiting.