Google released an emergency update to close the first zero-day security hole in the Chrome browser in 2026. The vulnerability with the code CVE-2026-2441 is categorized as high risk and has been reported to be exploited in real attacks in various regions.
In its official statement, Google confirmed that this security hole had been exploited by threat actors before the patch was widely available. Therefore, Windows, macOS, and Linux users are urged to immediately update their browsers to the latest version.
Vulnerability Stems from Use-After-Free Error
According to Google, this vulnerability stems from a use-after-free error in the CSSFontFeatureValuesMap component in Chrome. The problem is triggered by an iterator invalidation bug that can cause memory corruption during font processing.
If successfully exploited, this vulnerability has the potential to cause a crash in the browser, rendering disruption, data corruption, and undefined system behavior. In certain scenarios, memory corruption exploitation can also pave the way for malicious code execution.
The vulnerability was reported by security researcher Shaheen Fazim through the responsible disclosure mechanism. After receiving the report, Google stated that it immediately conducted a thorough investigation because there were indications of active exploitation in the wild.
Patches Released in Stages
Google restricts access to technical details of the bug until the majority of users have installed the security update. This step is taken to minimize the risk of further exploitation by irresponsible parties.
The stable update is now being rolled out gradually for desktop users with the following version details:
Windows: Chrome version 145.0.7632.76
macOS: Chrome versions 145.0.7632.75 and 145.0.7632.76
Linux: Chrome version 144.0.7559.75
Most users will receive the update automatically after restarting the browser. However, Google also recommends that users perform a manual check through the settings menu to ensure the latest version has been installed.
The company also urges organizations and enterprise environments to prioritize the implementation of this patch to reduce the potential for exposure to security risks.
With the release of the CVE-2026-2441 patch, this is the first zero-day handled by Google in 2026 for Chrome. This case reaffirms the importance of regularly updating software as part of a disciplined cybersecurity practice.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
