PoC Released for Critical Chrome 0-day Vulnerability Exploited in the Wild - CyberSecurityNews

Home Cyber Security News PoC Released for Critical Chrome 0-day Vulnerability Exploited in the Wild Chrome 0-day Vulnerability PoC A public proof-of-concept exploit has been released for CVE-2026-2441, a critical use-after-free zero-day vulnerability in Google Chrome’s Blink CSS engine that Google confirmed is being actively exploited in the wild. Security researcher Shaheen Fazim reported the flaw on February 11, 2026, and Google issued an emergency patch just two days later. Classified as Chrome’s first zero-day of 2026, the vulnerability exists in the CSSFontFeatureValuesMap component within Chrome’s Blink rendering engine. The root cause is an iterator invalidation flaw where FontFeatureValuesMapIterationSource stores a raw pointer (const FontFeatureAliases* aliases_) to an internal FontFeatureAliases HashMap. When the map is mutated during iteration via set() or delete() the HashMap rehashes, allocating new storage and freeing the old block. The raw pointer becomes dangling, and the subsequent FetchNextItem() call reads from freed memory, triggering the use-after-free condition. Google’s fix replaces the raw pointer with a deep copy of the HashMap, ensuring the iterator operates on its own isolated snapshot immune to rehashing. Platform Vulnerable Fixed Windows / macOS (Stable) < 145.0.7632.75 >= 145.0.7632.75 Linux (Stable) < 144.0.7559.75 >= 144.0.7559.75 Windows / macOS (Extended Stable) < 144.0.7559.177 >= 144.0.7559.177 Chromium-based (Edge, Brave, Opera, Vivaldi) Check vendor advisory Varies PoC Mechanics and Impact The published PoC triggers the UAF through three distinct methods: an entries() iterator combined with a mutation loop, a for...of loop with concurrent deletion and heap spraying, and a requestAnimationFrame-based technique that forces a layout recalculation mid-iteration. Each method also incorporates heap grooming by pre-allocating 50 same-sized @font-feature-values CSS rules to increase the predictability of heap layout for exploitation. On unpatched Chrome versions, the renderer process crashes with STATUS_ACCESS_VIOLATION on Windows or SIGSEGV on Linux and macOS, confirming the dangling pointer accesses freed memory. The immediate impact is confined to the Chrome renderer sandbox, enabling arbitrary code execution within the sandboxed process, information disclosure through leaked V8 heap pointers for ASLR bypass, and credential theft via document.cookie and localStorage access, and session hijacking through token exfiltration. When chained with a separate sandbox escape vulnerability, this UAF becomes the first link in a full system compromise chain, a pattern previously observed with NSO Pegasus (WebKit UAF), Intellexa Predator, and APT-28’s Chrome 0-day campaigns. The vulnerability is exploitable via drive-by download, requiring no user interaction beyond visiting a malicious page, making it suitable for malvertising, watering hole, and spear-phishing delivery. The U.S. CISA has added CVE-2026-2441 to its Known Exploited Vulnerabilities (KEV) catalog. Users must immediately update Chrome to version 145.0.7632.75 or later on Windows and macOS, and 144.0.7559.75 or later on Linux. Chromium-based browser users should apply vendor patches from Edge, Brave, Opera, and Vivaldi as they become available. Administrators should also verify that Site Isolation is enabled via chrome://flags/#site-isolation-trial-opt-out and audit all endpoints for outdated Chrome deployments. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign Cyber Security News Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads Cyber Security News Mirai-Based Botnets Evolve Into Massive DDoS and Proxy Abuse Threat Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026