A critical security vulnerability, CVE-2026-2441, has prompted an urgent out-of-band update for Google Chrome after confirmation that the flaw is being actively exploited. The Hong Kong Computer Emergency Response Team (HKCERT) alerted users to the flaw on 16 February 2026. The issue has been classified as an Extremely High-Risk vulnerability affecting browser clients and carries serious implications due to its potential for Remote Code Execution. 

The vulnerability comes from the Google Stable Channel Update for Desktop. The Stable channel has been updated for Windows, Mac, and Linux. The update includes 1 security fix for CVE-2026-2441, which is a Use-After-Free (UAF) vulnerability that could allow an attacker to potentially execute arbitrary code on a victim’s system simply by the victim visiting a specially crafted web page.

CVE-2026-2441: Use-After-Free Flaw in Google Chrome’s CSS Engine Enables Remote Code Execution 

The vulnerability, tracked as CVE-2026-2441, stems from a use-after-free error within Google Chrome’s CSS processing component. According to the official description: 

“A use-after-free vulnerability in the CSS processing in Google Chrome before version 145.0.7632.75 allows an attacker to execute arbitrary code within a sandbox via a crafted HTML page.” 

In technical terms, a use-after-free vulnerability occurs when software continues to access memory after it has been released. Because the contents of that memory are undefined, this condition can result in unpredictable behavior. While crashes are common outcomes, attackers can also exploit such weaknesses to inject malicious instructions, leading in this case to Remote Code Execution within Chrome’s sandbox. 

The flaw has been assigned a CVSS score of 8.8 and is rated “high” under standard scoring metrics. However, the broader advisory categorizes the risk as Extremely High Risk, largely because CVE-2026-2441 is already being exploited in the wild. A remote attacker can trigger the vulnerability simply by convincing a user to open a specially crafted HTML page. 

Google Chrome Stable Channel Update Addresses CVE-2026-2441 Exploitation 

Google released an emergency update on February 13, to address the issue. Through the update, the company said, “The Stable channel has been updated to 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.” 

The patch includes one security fix, the remediation of CVE-2026-2441. The vulnerability was reported by Shaheen Fazim on February 11, and is internally referenced as “[TBD][483569511] High CVE-2026-2441: Use after free in CSS.” 

Google confirmed that an exploit for CVE-2026-2441 exists in the wild. Due to active exploitation and the possibility of Remote Code Execution, details about the bug may remain temporarily restricted. The company explained: 

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.” 

Affected Google Chrome Versions and Remote Code Execution Risk 

The Remote Code Execution vulnerability impacts the following versions of Google Chrome: 

• Google Chrome prior to 144.0.7559.75 (Linux) 
• Google Chrome prior to 145.0.7632.75/76 (macOS) 
• Google Chrome prior to 145.0.7632.75/76 (Windows) 

The following versions are confirmed to contain the fix for CVE-2026-2441: 

• 144.0.7559.75 for Linux 
• 145.0.7632.75/76 for macOS and Windows 
• Extended Stable version 144.0.7559.177 for macOS and Windows 

Because the vulnerability enables Remote Code Execution, even within the sandbox, it presents a big security concern. While sandboxing is designed to limit the impact of exploitation, attackers frequently chain multiple vulnerabilities together, making rapid patching critical. 

Google also highlighted that many security flaws are detected using tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL. The company thanked researchers who worked during the development cycle to prevent security bugs from reaching the stable channel. 

Browsers built on the Chromium codebase, including Microsoft Edge, are expected to receive corresponding updates. Users of those browsers should monitor patches. 

To update Google Chrome, users can click the three-dot menu next to the address bar, navigate to “Help,” and select “About Google Chrome.” The browser will display the current version and initiate the update automatically if needed. On Linux systems, updates are typically applied through the distribution software manager.