CVE-2026-2441 is Chrome's first actively exploited zero-day of 2026, and it's already been caught being used in the wild.
It's a use-after-free bug in CSS handling, rated CVSS 8.8. A crafted webpage is all it takes to get code running inside your browser sandbox. No user interaction beyond visiting a page.
The timeline
The vulnerability was reported on February 11th, confirmed as actively exploited by February 13th, and patched the same day. Google still hasn't said whether the attacks are targeted or widespread.
You need version 145.0.7632.75 on Windows and Mac, or 144.0.7559.75 on Linux.
Why this matters
For context, Google patched eight actively exploited zero-days across the whole of 2025. We're barely into February and the counter has already started for 2026.
This also lands days after researchers found 287 Chrome extensions quietly exfiltrating browsing history to third parties. Between the browser itself and the ecosystem bolted onto it, Chrome's attack surface isn't getting any smaller.
What to do
If you manage endpoints, don't wait for the auto-update rollout. Push the update now. Most installations will already have the patch downloaded – they're just waiting for a browser restart to apply it.
More broadly, this is a good time to ask yourself whether you actually have visibility on which Chrome version your fleet is running right now. If the answer is no, that's a gap worth closing.
← All filings