First Zero Day Vulnerability in 2026 in Google Chrome

A critical zero-day vulnerability has been identified in Google Chrome (CVE-2026-2441). Google issued an out-of-band stable channel update due to active exploitation in the wild. Successful exploitation could allow arbitrary code execution within the Chrome sandbox via a malicious webpage.

CVE

CVE-2026-2441

Targeting / Delivery Mechanism

The vulnerability can be triggered by convincing a user to visit a malicious webpage. The exploit leverages a flaw in Chrome’s CSS font feature handling. Since exploitation is occurring in the wild, risk is elevated for unpatched browsers.

Execution Technique

The issue is a use-after-free vulnerability caused by iterator invalidation in CSSFontFeatureValuesMap. Improper memory handling allows stale object references, which an attacker can manipulate to achieve code execution within the Chrome sandbox.

Persistence / Deployment

While execution occurs within the sandbox, attackers may chain this vulnerability with additional flaws to escape sandbox restrictions, escalate privileges, or deploy further payloads on the host system.

Impact and Smarttech247's Recommended Actions

Operational Impact

Severity is High (CVSS 8.8). Active exploitation increases risk. Successful attacks may result in code execution, potential system compromise, and data exposure if chained with additional vulnerabilities.

Validate Integrity

Identify Chrome installations prior to:

145.0.7632.75/76 (Windows and Mac)
145.0.7632.75 (Linux)

Review endpoint detection alerts for browser exploitation indicators or suspicious child processes spawned from Chrome.

Respond to Confirmed Compromise

Isolate affected endpoints immediately. Conduct forensic review of browser activity, downloaded files, and spawned processes. Reimage systems if compromise cannot be confidently ruled out.

Strengthen Preventative Controls