CVE-2026-2441
Google Chromium CSS Use-After-Free Vulnerability - [Actively Exploited]
Description
Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
INFO
Published Date :
Feb. 13, 2026, 7:17 p.m.
Last Modified :
Feb. 23, 2026, 1:24 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-2441
Affected Products
The following products are affected by CVE-2026-2441
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Google Chrome to version 145.0.7632.75 or later.
- Ensure the browser is automatically updated.
Public PoC/Exploit Available at Github
CVE-2026-2441 has a 28 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-2441.
| URL | Resource |
|---|---|
| https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html | Release Notes |
| https://issues.chromium.org/issues/483569511 | Issue Tracking Permissions Required |
| https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html | Exploit |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-2441 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-2441
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Demonstrate a proof-of-concept exploit for CVE-2026-2441, a high-risk Chrome use-after-free vulnerability in the Blink CSS engine.
agent agents chinese gluon hacktoberfest notebook obfuscation person-reid poc rag semantic-segmentation testnet testnet-faucet vulnerability web3 zdi
None
None
HTML
None
None
HTML
None
None
Shell Python
None
None
HTML
None
None
HTML
None
HTML
the zero-click exploit heaven
每天自动归档 Hacker News 热门文章
Python
展示自我
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-2441 vulnerability anywhere in the article.
-
Daily CyberSecurity
Update Chrome Now: Google Patches 3 Critical Flaws and 7 High-Risk Vulnerabilities
Google has released an urgent update for the Chrome Stable channel, addressing 10 security vulnerabilities, including three rated as “Critical” and seven rated as “High” severity. The update is rollin ... Read more
-
Daily CyberSecurity
Critical 10.0 CVSS Flaw in Cisco Secure FMC Hands Hackers Root Access to Enterprise Firewalls
Cybersecurity researchers have identified a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software, the administrative “nerve center” used to manage unified security policies ... Read more
-
Daily CyberSecurity
CISA Adds Qualcomm and VMware Flaws to Known Exploited Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding two high-stakes flaws that are reportedly being weaponized in the wil ... Read more
-
Daily CyberSecurity
WordPress Security Alert: Critical Privilege Escalation Flaw in Popular Membership Plugin
A massive security hole has been discovered in the User Registration & Membership plugin for WordPress, a popular tool used by over 60,000 websites to manage tiered subscription plans and custom login ... Read more
-
Daily CyberSecurity
Critical RCE Flaw in Qwik Framework Allows Server Takeover via Single Request
Security researchers have identified a critical vulnerability in Qwik, the popular web framework known for its “instant-on” performance and resumability. The flaw, tracked as CVE-2026-27971, carries a ... Read more
-
Daily CyberSecurity
Cyber Escalation: Multi-Vector Attacks Surge Following “Operation Epic Fury”
In the wake of the massive joint offensive launched by the United States and Israel on February 28, the digital battlefield has seen a sharp escalation in activity. A new report from Unit 42 reveals t ... Read more
-
Daily CyberSecurity
Security Alert: “Hackerbot-Claw” Autonomous Campaign Exploits GitHub Actions
Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF), has issued a warning regarding an active, automated attack campaign dubbed ... Read more
-
Daily CyberSecurity
Security Alert: Android March 2026 Update Targets Actively Exploited Zero-Day
Google has released its most substantial security update in years, addressing a total of 129 vulnerabilities in the March 2026 Android Security Bulletin. The massive patch arrives amid warnings that a ... Read more
-
Daily CyberSecurity
CVE-2026-2256: Unpatched Flaw in MS-Agent Lets Hackers Hijack AI Assistants
We are officially entering the era of the “autonomous agent”—smart AI programs that don’t just chat with you, but actually do things on your computer, like organizing files, searching the web, or runn ... Read more
-
Daily CyberSecurity
Beyond the Router: How the Zerobotv9 Botnet is Hijacking Enterprise Automation
According to a recent investigation by the Akamai Security Intelligence and Response Team (SIRT), a notorious malware family known as Zerobot has re-emerged with new tricks. This latest iteration, dub ... Read more
-
Daily CyberSecurity
High-Severity XSS Flaw in Angular i18n Turns Language Files into Backdoors
A newly security flaw was found in the widely used Angular web building platform. Identified as CVE-2026-27970 (and rated as a high-severity 7.6), this vulnerability shows how hackers could easily hid ... Read more
-
Daily CyberSecurity
From Chat App to Dark Web: How Telegram Became the New Hub for Cybercrime
For millions of people around the world, Telegram is a secure and convenient way to chat with friends, follow news channels, or join community groups. However, beneath the surface of everyday messagin ... Read more
-
Daily CyberSecurity
Bridging the Gap: North Korean APT37 Deploys ‘Ruby Jumper’ to Infiltrate Isolated Air-Gapped Networks
In a sophisticated escalation of cyber espionage, the North Korean-linked threat group APT37 (also known as ScarCruft or Ruby Sleet) has been caught deploying a novel toolkit designed to leap over the ... Read more
-
Daily CyberSecurity
Critical Backup Flaws Expose Vitess Environments to Complete Takeover
Vitess is a cloud-native horizontally-scalable distributed database system that is built around MySQL. It allows organizations to achieve unlimited scaling through generalized sharding, and operators ... Read more
-
Daily CyberSecurity
Critical 9.8 Flaw in Langflow’s AI CSV Agent Opens a Direct Path to Root Shell
Artificial intelligence is making it easier than ever to build complex applications, but a newly discovered vulnerability shows that these same tools can inadvertently leave the front door wide open f ... Read more
-
Daily CyberSecurity
Critical Flaws in Vikunja Expose Users to Persistent Account Takeovers
Vikunja is a popular open-source, self-hostable to-do application designed to help users organize their tasks using list, Kanban, Gantt, and table views while keeping their data entirely under their o ... Read more
-
Daily CyberSecurity
CVE-2026-27728 (CVSS 10): Critical Command Injection Flaw in OneUptime Probe Enables Full Server Takeover
If your organization relies on OneUptime to keep a watchful eye on website availability, APIs, and online dashboards, a newly disclosed vulnerability requires your immediate attention. Tracked as CVE- ... Read more
-
Daily CyberSecurity
Critical Path Traversal Flaw in basic-ftp Exposes Node.js Apps to Arbitrary File Writes
With over 18 million downloads, basic-ftp is a cornerstone utility for Node.js developers, offering a robust, Promise-based API for handling FTP, FTPS over TLS, and bulk directory operations. However, ... Read more
-
Daily CyberSecurity
Steering the Server: Critical 9.2 Severity SSRF Flaw in Angular SSR Allows Internal Network Probing
Developers relying on Angular’s Server-Side Rendering (SSR) capabilities need to double-check their security configurations. A highly critical vulnerability has been disclosed in the Angular SSR reque ... Read more
-
Daily CyberSecurity
The New Voice of Fraud: Cybercrime ‘Supergroup’ Recruits Female Callers to Breach Corporate IT Help Desks
Cybersecurity threats are no longer just about malicious code and zero-day vulnerabilities; they are increasingly about human psychology. In a shift in social engineering tactics, a notorious cybercri ... Read more
The following table lists the changes that have been made to the
CVE-2026-2441 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Feb. 23, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Added CWE CWE-416 Added Reference Type CISA-ADP: https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html Types: Exploit -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 20, 2026
Action Type Old Value New Value Added Reference https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html -
Modified Analysis by [email protected]
Feb. 18, 2026
Action Type Old Value New Value Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 17, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441 -
Initial Analysis by [email protected]
Feb. 17, 2026
Action Type Old Value New Value Added CPE Configuration AND OR *cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 145.0.7632.75 OR cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* Added CPE Configuration AND OR *cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 145.0.7632.76 OR cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* Added Reference Type Chrome: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html Types: Release Notes Added Reference Type Chrome: https://issues.chromium.org/issues/483569511 Types: Issue Tracking, Permissions Required -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 13, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -
New CVE Received by [email protected]
Feb. 13, 2026
Action Type Old Value New Value Added Description Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) Added CWE CWE-416 Added Reference https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html Added Reference https://issues.chromium.org/issues/483569511