1. Home
  2. Vulnerabilities
  3. CVE-2026-2441
Known Exploited Vulnerability
8.8
HIGH CVSS 3.1
CVE-2026-2441
Google Chromium CSS Use-After-Free Vulnerability - [Actively Exploited]
Description

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

INFO

Published Date :

Feb. 13, 2026, 7:17 p.m.

Last Modified :

Feb. 23, 2026, 1:24 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-2441

Affected Products

The following products are affected by CVE-2026-2441 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft windows
2 Microsoft edge_chromium
1 Linux linux_kernel
1 Google chrome
1 Apple macos
: Total Affected Vendor : 4 | Products : 5
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 HIGH [email protected]
Solution
Update Google Chrome to the latest version to fix a memory corruption vulnerability.
  • Update Google Chrome to version 145.0.7632.75 or later.
  • Ensure the browser is automatically updated.
Public PoC/Exploit Available at Github

CVE-2026-2441 has a 28 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-2441.

URL Resource
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html Release Notes
https://issues.chromium.org/issues/483569511 Issue Tracking Permissions Required
https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-2441 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-2441 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
fartlover37/CVE-2026-2441-PoC

Demonstrate a proof-of-concept exploit for CVE-2026-2441, a high-risk Chrome use-after-free vulnerability in the Blink CSS engine.

agent agents chinese gluon hacktoberfest notebook obfuscation person-reid poc rag semantic-segmentation testnet testnet-faucet vulnerability web3 zdi

Updated: 1 day, 3 hours ago
0 stars 0 fork 0 watcher
Born at : March 3, 2026, 2:19 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
NAH030/Vulnerability-STIG-Remediations-Using-Powershell

None

Updated: 3 days, 22 hours ago
0 stars 0 fork 0 watcher
Born at : March 1, 2026, 11:37 p.m. This repo has been linked 7 different CVEs too.
Profile Photo
D3b0j33t/CVE-2026-2441-PoC

None

HTML

Updated: 4 days, 8 hours ago
0 stars 0 fork 0 watcher
Born at : March 1, 2026, 6:34 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
NetVanguard-cmd/CVE-2026-2441

None

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 24, 2026, 5:25 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
atiilla/CVE-2026-2441_PoC

None

HTML

Updated: 1 week, 3 days ago
0 stars 1 fork 1 watcher
Born at : Feb. 23, 2026, 8:43 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
washingtonmaister/CVE-2026-2441

None

Updated: 1 week, 6 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 20, 2026, 10:50 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
kapetanios55/SentinelCBContent

None

Shell Python

Updated: 1 week ago
0 stars 0 fork 0 watcher
Born at : Feb. 20, 2026, 10:40 p.m. This repo has been linked 23 different CVEs too.
Profile Photo
RootAid/CVE-2026-2441

None

Updated: 1 week, 6 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 20, 2026, 3:52 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
theemperorspath/CVE-2026-2441-PoC

None

HTML

Updated: 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 19, 2026, 11:48 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
jermaine22sei/CVE-2026-2441

None

Updated: 2 weeks, 1 day ago
0 stars 0 fork 0 watcher
Born at : Feb. 18, 2026, 9:27 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
huseyinstif/CVE-2026-2441-PoC

None

HTML

Updated: 1 week, 2 days ago
80 stars 10 fork 10 watcher
Born at : Feb. 18, 2026, 11:46 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
b1gchoi/CVE-2026-2441_POC

None

HTML

Updated: 2 weeks ago
4 stars 0 fork 0 watcher
Born at : Feb. 16, 2026, 9:46 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
timosarkar/0clickheaven

the zero-click exploit heaven

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 14, 2026, 1:49 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
L5T2Y0/daily-hn-archives

每天自动归档 Hacker News 热门文章

Python

Updated: 2 weeks, 1 day ago
1 stars 0 fork 0 watcher
Born at : Feb. 14, 2026, 1:06 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
huc-b/AutoProfile

展示自我

Python

Updated: 2 weeks, 1 day ago
0 stars 0 fork 0 watcher
Born at : Nov. 21, 2025, 7:25 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-2441 vulnerability anywhere in the article.

  • Daily CyberSecurity
Update Chrome Now: Google Patches 3 Critical Flaws and 7 High-Risk Vulnerabilities

Google has released an urgent update for the Chrome Stable channel, addressing 10 security vulnerabilities, including three rated as “Critical” and seven rated as “High” severity. The update is rollin ... Read more

Published Date: Mar 05, 2026 (1 day, 1 hour ago)
  • Daily CyberSecurity
Critical 10.0 CVSS Flaw in Cisco Secure FMC Hands Hackers Root Access to Enterprise Firewalls

Cybersecurity researchers have identified a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software, the administrative “nerve center” used to manage unified security policies ... Read more

Published Date: Mar 05, 2026 (1 day, 1 hour ago)
  • Daily CyberSecurity
CISA Adds Qualcomm and VMware Flaws to Known Exploited Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding two high-stakes flaws that are reportedly being weaponized in the wil ... Read more

Published Date: Mar 04, 2026 (2 days ago)
  • Daily CyberSecurity
WordPress Security Alert: Critical Privilege Escalation Flaw in Popular Membership Plugin

A massive security hole has been discovered in the User Registration & Membership plugin for WordPress, a popular tool used by over 60,000 websites to manage tiered subscription plans and custom login ... Read more

Published Date: Mar 04, 2026 (2 days, 2 hours ago)
  • Daily CyberSecurity
Critical RCE Flaw in Qwik Framework Allows Server Takeover via Single Request

Security researchers have identified a critical vulnerability in Qwik, the popular web framework known for its “instant-on” performance and resumability. The flaw, tracked as CVE-2026-27971, carries a ... Read more

Published Date: Mar 04, 2026 (2 days, 2 hours ago)
  • Daily CyberSecurity
Cyber Escalation: Multi-Vector Attacks Surge Following “Operation Epic Fury”

In the wake of the massive joint offensive launched by the United States and Israel on February 28, the digital battlefield has seen a sharp escalation in activity. A new report from Unit 42 reveals t ... Read more

Published Date: Mar 03, 2026 (2 days, 18 hours ago)
  • Daily CyberSecurity
Security Alert: “Hackerbot-Claw” Autonomous Campaign Exploits GitHub Actions

Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF), has issued a warning regarding an active, automated attack campaign dubbed ... Read more

Published Date: Mar 03, 2026 (2 days, 22 hours ago)
  • Daily CyberSecurity
Security Alert: Android March 2026 Update Targets Actively Exploited Zero-Day

Google has released its most substantial security update in years, addressing a total of 129 vulnerabilities in the March 2026 Android Security Bulletin. The massive patch arrives amid warnings that a ... Read more

Published Date: Mar 03, 2026 (3 days ago)
  • Daily CyberSecurity
CVE-2026-2256: Unpatched Flaw in MS-Agent Lets Hackers Hijack AI Assistants

We are officially entering the era of the “autonomous agent”—smart AI programs that don’t just chat with you, but actually do things on your computer, like organizing files, searching the web, or runn ... Read more

Published Date: Mar 03, 2026 (3 days ago)
  • Daily CyberSecurity
Beyond the Router: How the Zerobotv9 Botnet is Hijacking Enterprise Automation

According to a recent investigation by the Akamai Security Intelligence and Response Team (SIRT), a notorious malware family known as Zerobot has re-emerged with new tricks. This latest iteration, dub ... Read more

Published Date: Mar 03, 2026 (3 days, 2 hours ago)
  • Daily CyberSecurity
High-Severity XSS Flaw in Angular i18n Turns Language Files into Backdoors

A newly security flaw was found in the widely used Angular web building platform. Identified as CVE-2026-27970 (and rated as a high-severity 7.6), this vulnerability shows how hackers could easily hid ... Read more

Published Date: Mar 03, 2026 (3 days, 2 hours ago)
  • Daily CyberSecurity
From Chat App to Dark Web: How Telegram Became the New Hub for Cybercrime

For millions of people around the world, Telegram is a secure and convenient way to chat with friends, follow news channels, or join community groups. However, beneath the surface of everyday messagin ... Read more

Published Date: Mar 03, 2026 (3 days, 2 hours ago)
  • Daily CyberSecurity
Bridging the Gap: North Korean APT37 Deploys ‘Ruby Jumper’ to Infiltrate Isolated Air-Gapped Networks

In a sophisticated escalation of cyber espionage, the North Korean-linked threat group APT37 (also known as ScarCruft or Ruby Sleet) has been caught deploying a novel toolkit designed to leap over the ... Read more

Published Date: Mar 03, 2026 (3 days, 2 hours ago)
  • Daily CyberSecurity
Critical Backup Flaws Expose Vitess Environments to Complete Takeover

Vitess is a cloud-native horizontally-scalable distributed database system that is built around MySQL. It allows organizations to achieve unlimited scaling through generalized sharding, and operators ... Read more

Published Date: Mar 02, 2026 (4 days, 1 hour ago)
  • Daily CyberSecurity
Critical 9.8 Flaw in Langflow’s AI CSV Agent Opens a Direct Path to Root Shell

Artificial intelligence is making it easier than ever to build complex applications, but a newly discovered vulnerability shows that these same tools can inadvertently leave the front door wide open f ... Read more

Published Date: Mar 02, 2026 (4 days, 2 hours ago)
  • Daily CyberSecurity
Critical Flaws in Vikunja Expose Users to Persistent Account Takeovers

Vikunja is a popular open-source, self-hostable to-do application designed to help users organize their tasks using list, Kanban, Gantt, and table views while keeping their data entirely under their o ... Read more

Published Date: Mar 02, 2026 (4 days, 2 hours ago)
  • Daily CyberSecurity
CVE-2026-27728 (CVSS 10): Critical Command Injection Flaw in OneUptime Probe Enables Full Server Takeover

If your organization relies on OneUptime to keep a watchful eye on website availability, APIs, and online dashboards, a newly disclosed vulnerability requires your immediate attention. Tracked as CVE- ... Read more

Published Date: Mar 02, 2026 (4 days, 2 hours ago)
  • Daily CyberSecurity
Critical Path Traversal Flaw in basic-ftp Exposes Node.js Apps to Arbitrary File Writes

With over 18 million downloads, basic-ftp is a cornerstone utility for Node.js developers, offering a robust, Promise-based API for handling FTP, FTPS over TLS, and bulk directory operations. However, ... Read more

Published Date: Mar 02, 2026 (4 days, 2 hours ago)
  • Daily CyberSecurity
Steering the Server: Critical 9.2 Severity SSRF Flaw in Angular SSR Allows Internal Network Probing

Developers relying on Angular’s Server-Side Rendering (SSR) capabilities need to double-check their security configurations. A highly critical vulnerability has been disclosed in the Angular SSR reque ... Read more

Published Date: Mar 02, 2026 (4 days, 2 hours ago)
  • Daily CyberSecurity
The New Voice of Fraud: Cybercrime ‘Supergroup’ Recruits Female Callers to Breach Corporate IT Help Desks

Cybersecurity threats are no longer just about malicious code and zero-day vulnerabilities; they are increasingly about human psychology. In a shift in social engineering tactics, a notorious cybercri ... Read more

Published Date: Mar 02, 2026 (4 days, 2 hours ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-2441 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Feb. 23, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Added CWE CWE-416
    Added Reference Type CISA-ADP: https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html Types: Exploit
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 20, 2026

    Action Type Old Value New Value
    Added Reference https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html
  • Modified Analysis by [email protected]

    Feb. 18, 2026

    Action Type Old Value New Value
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 17, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441
  • Initial Analysis by [email protected]

    Feb. 17, 2026

    Action Type Old Value New Value
    Added CPE Configuration AND OR *cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 145.0.7632.75 OR cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 145.0.7632.76 OR cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
    Added Reference Type Chrome: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html Types: Release Notes
    Added Reference Type Chrome: https://issues.chromium.org/issues/483569511 Types: Issue Tracking, Permissions Required
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 13, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • New CVE Received by [email protected]

    Feb. 13, 2026

    Action Type Old Value New Value
    Added Description Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
    Added CWE CWE-416
    Added Reference https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html
    Added Reference https://issues.chromium.org/issues/483569511
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 8.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact