{"id":7099,"date":"2026-02-17T00:48:21","date_gmt":"2026-02-17T00:48:21","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7099"},"modified":"2026-02-17T00:48:21","modified_gmt":"2026-02-17T00:48:21","slug":"exploit-available-for-new-chrome-zero-day-vulnerability-says-google","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7099","title":{"rendered":"Exploit available for new Chrome zero-day vulnerability, says Google"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Threat actors now have the ability to exploit a new zero-day vulnerability in the Chrome browser, Google has advised IT administrators.<\/p>\n<p>The warning comes after <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/02\/stable-channel-update-for-desktop_13.html\" target=\"_blank\" rel=\"noopener\">Google released a patch for Chrome<\/a> to plug a use after free memory vulnerability (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-2441\" target=\"_blank\" rel=\"noopener\">CVE-2026-2441<\/a>) in cascading style sheets (CSS), which means the browser\u2019s CSS engine isn\u2019t properly managing memory and can be exploited by a hacker.<\/p>\n<p>If not patched, it allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. The vulnerability is rated at High in severity.<\/p>\n<p>At risk are Windows and Mac Chrome browsers prior to 145.0.7632.75\/76, and\u00a0prior to 144.0.7559.75 for Linux.<\/p>\n<p>\u201cGoogle is aware that an exploit for CVE-2026-2441 exists in the wild,\u201d the warning adds.<\/p>\n<p>Details about the hole are scarce. Google says access to bug details and links may be restricted until a majority of users are updated with a fix. It will also maintain the restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/thegenemoody\/\" target=\"_blank\" rel=\"noopener\">Gene Moody<\/a>, field\u00a0CTO at Action1, explained that, in this vulnerability, a browser frees an object, but later continues to use the stale reference memory location. Any attacker who can shape heap layout with controlled content can potentially replace the contents of that freed memory with data they control. Because this lives in the renderer, and is reachable through normal page content, he said, the trigger surface is almost absolute.<\/p>\n<p>\u201cIn practical terms,\u201d he added, \u201ca vulnerable user simply visiting a malicious page could be enough to effectively trigger the bug.\u201d<\/p>\n<p>Hunting for and exploiting browser vulnerabilities is a popular tool for threat actors. That\u2019s because browsers are often an entry point to enterprises, particularly in an era of cloud applications. Browsers not only access corporate data, they hold sensitive information such as login credentials and personal data stored to autofill forms.<\/p>\n<p>Usually, browsers ship with auto patch installation enabled by default. Some CSOs\/CIOs, however, may prefer manual installation, so patches can be tested for compatibility with enterprise applications before installation.<\/p>\n<p><a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute, said this is just the most recent Chrome 0-day to be discovered, and, based on history, there are probably many others already in use that have not been discovered or patched yet.<\/p>\n<p>\u201cHaving a solid endpoint monitoring program in place can mitigate some of this risk,\u201d he said. For enterprise administrators, Google offers Chrome Enterprise Core, which adds the instrumentation necessary to monitor browser versions and release upgrades. Chrome Enterprise Core also adds central management for extensions. Malicious extensions are often a larger problem than 0-days.\u201d<\/p>\n<p>Browsers are highly complex programs that support a large number of technologies, he added, and include some legacy standards with limited current support.<\/p>\n<p>\u201cThe open-source Chromium browser codebase includes about 36 million lines of code,\u201d he pointed out. \u201cA large project like this is bound to include vulnerabilities. Google has used a number of automated tools to continuously reduce the number of vulnerabilities, but adversaries do the same, and sometimes find bugs that Google has not yet found or not yet gotten around to patching proactively.\u201d<\/p>\n<p>Browser zero days are never good, because it\u2019s trivial for criminals to use poisoned ads to try to steer victims with vulnerable browsers to websites containing malicious code, said<a href=\"https:\/\/www.linkedin.com\/in\/dbshipley\/\" target=\"_blank\" rel=\"noopener\"> David Shipley<\/a>, head of Canadian security awareness training provider Beauceron Security.\u00a0<\/p>\n<p>\u201cIn this case, it looks like this is only a partial fix for the vulnerability in progress, and Google is being a bit tight-lipped about how bad this bug was, and all the things it could be used for beyond crashing the browser and corrupting data.\u00a0But given there are exploits in the wild, and Google says it\u2019s waiting until the majority of users are patched before getting into more details, there\u2019s clearly something more interesting behind this one.\u201d\u00a0<\/p>\n<p>Getting fixes to enterprise browsers is still not as easy as it should be, he added, and usually involves expensive tools or complex workflows that most smaller organizations don\u2019t have.\u00a0<\/p>\n<p><a href=\"https:\/\/support.google.com\/chrome\/a\/answer\/6350036?hl=en\" target=\"_blank\" rel=\"noopener\">Google, however, provides extensive advice for administrators<\/a> on managing Chrome updates.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Threat actors now have the ability to exploit a new zero-day vulnerability in the Chrome browser, Google has advised IT administrators. The warning comes after Google released a patch for Chrome to plug a use after free memory vulnerability (CVE-2026-2441) in cascading style sheets (CSS), which means the browser\u2019s CSS engine isn\u2019t properly managing memory [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7100,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7099","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7099"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7099"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7099\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7100"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}