Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-2441: Chrome Zero-Day Enables In-Sandbox Code Execution
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
Jun 23, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
CVE-2026-20253: CISA Warns of Actively Exploited Splunk Enterprise RCE
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
CVE-2026-42530 & CVE-2026-42055: F5 Patches NGINX Vulnerabilities
Jun 19, 2026
SOCRadar® Cyber Intelligence Inc. | SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
SOCRadar Launches Free FortiBleed Exposure Checker and Publishes the Most Extensive Dataset on the Fortinet Credential Leak
Jun 17, 2026
SOCRadar® Cyber Intelligence Inc. | FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
Jun 17, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Feb 16, 2026
4 Mins Read
Moon

CVE-2026-2441: Chrome Zero-Day Enables In-Sandbox Code Execution

Google has patched CVE-2026-2441, noting that it is “aware that an exploit for CVE-2026-2441 exists in the wild” as of the Stable Channel update published on February 13, 2026. This post summarizes what the flaw is, which versions are exposed, how exploitation is expected to work at a high level, and what defenders should do to reduce risk quickly.

What Is CVE-2026-2441 in Google Chrome?

CVE-2026-2441 (CVSS 8.8) is a use-after-free condition in Chrome’s CSS handling. In practical terms, Chrome can end up referencing memory that has already been freed, which can corrupt program state in a way an attacker may be able to control.

Details of CVE-2026-2441 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-2441 (SOCRadar Vulnerability Intelligence)

The reported impact is arbitrary code execution inside the browser sandbox. It does not automatically mean full host compromise by itself, but it still represents a serious foothold because sandboxed code execution can be chained with a separate sandbox escape for broader impact.

Which Chrome Versions Are Affected and What Are the Fixed Builds?

From an exposure standpoint, the simplest rule is to treat Chrome versions on Windows/macOS prior to 145.0.7632.75 as vulnerable. For Linux, treat versions below 144.0.7559.75 as vulnerable.

Google shipped fixes on February 13, 2026, with different version numbers by platform and channel:

Chrome Stable (Desktop)

  • Windows / macOS:145.0.7632.75 and 145.0.7632.76
  • Linux:144.0.7559.75

Chrome Extended Stable (Desktop)

  • Windows / macOS (Extended Stable):144.0.7559.177

If you run Chromium-based browsers outside of Google Chrome, treat this as “potentially impacted” until the vendor confirms the Chromium version they have integrated and shipped.

How Does Exploitation Work?

CVE-2026-2441 is triggered via web content, meaning an attacker can deliver it through a crafted HTML page. The exploitation model described publicly is consistent with a drive-by scenario where the attacker’s key requirement is user interaction, such as convincing a victim to visit an attacker-controlled page or open a malicious link.

Public reporting links the issue to Chrome’s CSS font feature values handling (e.g., CSSFontFeatureValuesMap), but detailed exploitation mechanics are not fully public.

Is There a Public PoC Exploit Available?

At the time of writing, there is no official public Proof-of-Concept (PoC) exploit, and the related Chromium issue tracker entry is restricted.

What Should Defenders Do Right Now?

1) Patch, then verify the browser actually restarted

The primary remediation is to update Chrome to a fixed version and ensure users restart Chrome so endpoints run the patched binary.

Use these minimum versions as compliance gates:

  • Windows/macOS Stable: 145.0.7632.75+
  • Linux Stable: 144.0.7559.75+
  • Windows/macOS Extended Stable: 144.0.7559.177+

2) Identify and prioritize endpoints below fixed versions

Use software inventory, EDR telemetry, or MDM reporting to:

  • Find endpoints running below the fixed versions
  • Prioritize high-risk roles (executives, finance, IT admins, SOC analysts) and high-exposure browsing patterns

3) Use short-term compensating controls only to buy time

If patch rollout will take time, apply temporary controls where feasible, such as stricter web filtering for high-risk groups. Treat these as stopgaps, not substitutes, because patching is the only direct fix for the underlying memory safety condition.

4) Track Chromium-based browser lag

If your environment includes other Chromium-based browsers, confirm when each vendor absorbed the upstream fix and shipped it. Do not assume parity with Chrome’s release date.

Strengthen Vulnerability Response with SOCRadar

Actively exploited vulnerabilities require accelerated response. Security teams must quickly determine:

  • Which assets are exposed
  • Whether exploitation attempts are observed
  • Which user groups carry the highest risk

Manual tracking slows response and increases blind spots.In response, SOCRadar’s Cyber Threat Intelligence module delivers real-time insights into:

  • Newly disclosed CVEs
  • Exploitation status and threat actor activity
  • Risk-based prioritization guidance
  • Contextual enrichment beyond raw CVSS scores
SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

In high-velocity vulnerability cycles, actionable intelligence determines whether an organization reacts in hours or days.