"Google credits security researcher Shaheen Fazim with reporting the exploit to Google. The dude's LinkedIn says he's a professional bug hunter, and I'd say he deserves the highest possible bug bounty for finding something that a government agency is saying "in CSS in Google Chrome before 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.""
"When you're able to string whole sentences together again, your first question is: Has CSS really had the dubious honor of being the cause of the first zero-day exploit in Chromium-based browsers for 2026? I mean, the Chrome update channel says they fixed a high-severity vulnerability described as "[u]ser after free in CSS" ... on Friday the 13 th no less!"
A high-severity vulnerability classified as a "use after free in CSS" was discovered in Chromium-based browsers and patched on Friday the 13th. The vulnerability affects Google Chrome (before version 145.0.7632.75), Microsoft Edge (before 145.0.3800.58), Vivaldi (before 7.8), and Brave (before v1.87.188). Security researcher Shaheen Fazim reported the exploit to Google. The vulnerability allows remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page. Users must update their browsers to the specified versions to protect against exploitation. The discovery raises questions about CSS security, as CSS is traditionally considered safer than JavaScript.
Read at CSS-Tricks
Unable to calculate read time
Collection
[
|
...
]