Chrome 145 Patches Active Zero-Day CVE-2026-2441

Google released an emergency update for Chrome 145 on February 13, 2026, fixing a high-severity zero-day vulnerability that was already being exploited in active attacks. The flaw, tracked as CVE-2026-2441, is a use-after-free bug in Chrome’s CSS engine. It was reported by security researcher Shaheen Fazim on February 11, 2026, two days before Google pushed the fix. The initial patched versions were 145.0.7632.75 and 145.0.7632.76 for Windows and macOS, and 144.0.7559.75 for Linux.

A use-after-free vulnerability occurs when a program continues referencing a memory location after it has been freed. In a browser, this type of flaw can allow an attacker to execute arbitrary code on a target device through a malicious web page. Google confirmed at the time of release that an exploit for CVE-2026-2441 was already circulating in the wild.

Four days later, on February 17, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-2441 to its Known Exploited Vulnerabilities catalog. The KEV listing set a remediation deadline of March 10, 2026, requiring Federal Civilian Executive Branch agencies to apply the available fix. CISA added the Chrome flaw as part of a batch update that also included three other vulnerabilities: CVE-2008-0015, a Microsoft Windows Video ActiveX Control remote code execution flaw dating back to 2008; CVE-2020-7796, a server-side request forgery flaw in Synacor Zimbra Collaboration Suite; and CVE-2024-7694, an unrestricted file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware software.

On February 18, 2026, Google shipped a second round of Chrome updates, moving Windows and macOS builds to 145.0.7632.109 and 145.0.7632.110 respectively, and Linux to 144.0.7559.109. This follow-up release addressed three additional security vulnerabilities. CVE-2026-2648 is a high-severity heap buffer overflow in PDFium. CVE-2026-2649 is a high-severity integer overflow in V8, Chrome’s JavaScript engine. CVE-2026-2650 is a medium-severity heap buffer overflow in the Media component. The rollout was described as staged, spreading to users over the coming days and weeks.

Google also updated the Extended Stable channel on February 18, 2026, releasing version 144.0.7559.220 for Windows and macOS users on the slower update track. Mobile platforms received updates at the same time. Chrome 145 version 145.0.7632.109 became available for Android users through Google Play, and version 145.0.7632.108 was released for iOS through the App Store. Google confirmed that Android releases carry the same security fixes as the corresponding desktop releases unless otherwise noted.

Following the initial disclosure, the National Vulnerability Database record for CVE-2026-2441 was updated multiple times. A modification made on February 20, 2026, by CISA’s Authorized Data Publisher added a reference to a publicly available proof-of-concept exploit. The availability of a public proof-of-concept lowers the technical barrier for potential attackers, increasing the risk to systems that remain unpatched.

CISA urges all organizations, not only federal agencies, to prioritize the remediation of vulnerabilities listed in the KEV catalog as part of their standard vulnerability management practice. Users running Chrome on any platform should verify their browser is updated to the latest available version.