"The flaw, tracked as CVE-2026-2441 and assigned a "high" CVSS score of 8.8, stems from a use-after-free bug in Chrome's CSS handling that could allow a remote attacker to execute arbitrary code inside the browser's sandbox using a specially crafted HTML page. In other words, a dodgy webpage could be all an attacker needs to get malicious code running inside a victim's browser."
"Security researcher Shaheen Fazim reported the flaw on February 11, and Google acknowledged that attackers were already exploiting it just two days later - though it's staying tight-lipped on the specifics. The company has not said whether the attacks were targeted or part of a broader exploitation campaign, only that the vulnerability was being abused before a fix was ready. "Google is aware that an exploit for CVE-2026-2441 exists in the wild," its security advisory stated."
An actively exploited zero-day in Chrome, tracked as CVE-2026-2441 with a high CVSS score of 8.8, arises from a use-after-free bug in CSS handling that can allow remote attackers to execute arbitrary code inside the browser sandbox via a specially crafted HTML page. Google issued emergency Chrome updates (145.0.7632.75 for Windows and Mac, 144.0.7559.75 for Linux) and said the fixes will roll out over coming days and weeks. The bug was reported on February 11 and observed exploited within two days. Google is withholding technical details until most users receive patches. Additional risks include widespread malicious Chrome extensions siphoning browsing histories.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]