TP-2026-0044 high Under Review C

Chrome CSS Font Feature Zero-Day (CVE-2026-2441) — Actively Exploited RCE

Date February 13, 2026

Attack Type Zero-Day Exploitation Sector Multi-Sector

Geography Global

Threat Actor Unknown

Attribution A4

CVEs CVE-2026-2441

Confidence C

Executive Summary

A critical use-after-free vulnerability in Google Chrome’s CSS font feature processing (CVE-2026-2441, CVSS 8.8) was discovered on February 11, 2026, and patched with emergency releases on February 13, 2026 (Chrome 145.0.7632.75 and 145.0.7632.76). Google confirmed that exploit code exists in the wild and is actively being used in targeted attacks. The vulnerability allows arbitrary remote code execution within the browser process through specially crafted HTML and JavaScript.

The vulnerability resides in the CSSFontFeatureValuesMap implementation, where the browser loops over font feature values while modifying the set, creating stale pointers that can be exploited for code execution. An attacker can craft a malicious web page that, when visited by an unpatched Chrome user, executes code with the privileges of the Chrome process. This enables theft of authentication tokens, credentials stored in the browser, and lateral movement to internal infrastructure for users connecting from corporate networks.

This is the second Chrome zero-day confirmed in active exploitation in 2026, indicating elevated threat activity targeting Chrome users. The emergency patching timeline (2-day window from discovery to patch availability) reflects the severity and active exploitation status.

Technical Analysis

CVE-2026-2441 is a use-after-free (UAF) vulnerability in Chrome’s CSS parsing engine when handling font feature values. The browser maintains a set of font feature values and iterates over this set while modifying it during certain CSS operations. This creates a classic use-after-free condition: memory is freed while a pointer still references the freed memory. Subsequent operations that dereference the stale pointer access invalid memory, allowing attacker control of execution flow.

An attacker crafts a webpage containing specially formatted CSS with font feature values, combined with JavaScript that triggers the use-after-free condition. When a user visits the page, Chrome’s rendering engine processes the malicious CSS, leading to memory corruption and code execution within the renderer process. Code execution occurs with the privileges of the logged-in user, enabling theft of session cookies, OAuth tokens, passwords stored in autofill, browser history, downloaded files, and CI/CD pipeline environment variables.

While Chrome’s sandbox is designed to contain renderer process exploits, use-after-free vulnerabilities can enable sandbox escape by corrupting memory structures that control sandbox boundaries. Chrome 145.0.7632.75 and 145.0.7632.76 contain the fix. Earlier Chrome versions and Chromium-based browsers (Brave, Edge, Opera) that have not applied the patch are also affected.

Attack Chain

Stage 1: Exploit Delivery

Attacker hosts crafted HTML/JavaScript on a malicious or compromised website. Delivery methods include watering hole attacks on legitimate sites, phishing emails with links, malicious ads through ad networks, or compromised websites with injected scripts.

Stage 2: Vulnerability Trigger

Chrome’s rendering engine processes the malicious CSS font feature values, triggering the use-after-free condition in CSSFontFeatureValuesMap. Memory corruption occurs in the renderer process.

Stage 3: Code Execution

Attacker achieves arbitrary code execution within the Chrome renderer process with the privileges of the logged-in user. No user interaction beyond visiting the page is required.

Stage 4: Post-Exploitation

Attacker steals session cookies, authentication tokens, stored passwords, API keys, and other credentials accessible to the browser process. For corporate users, this enables pivot to internal systems.

Impact Assessment

Chrome holds over 65% browser market share across corporate and consumer environments, making any Chrome vulnerability a substantial risk. The browser serves as the interface to cloud applications, email, collaboration tools, and internal corporate systems. A browser compromise is often the first step in targeted intrusions.

Exploit code running in the browser process can access session tokens, OAuth refresh tokens, API keys in localStorage or sessionStorage, CI/CD pipeline secrets, internal service credentials, and passwords stored in password managers. A single browser compromise can grant access to hundreds of accounts and services.

The vulnerability can be exploited through drive-by attacks on legitimate websites, creating a supply chain risk: visiting a legitimate news site or corporate website could result in browser compromise. Use-after-free exploits are difficult to detect through conventional network monitoring or endpoint protection, as the attack occurs entirely within the browser process.

Historical Context

Google stated exploit code exists in the wild and is actively being used in targeted attacks. The specific threat actors exploiting CVE-2026-2441 have not been publicly identified. The vulnerability was discovered by independent researcher Shaheen Fazim on February 11, 2026, who initiated responsible disclosure with Google.

The 2-day patching timeline indicates Google’s internal assessment of active exploitation and attack campaigns. The timing and targeting suggest nation-state actors or advanced threat groups had developed and deployed exploits before the patch was available.

Timeline

2026-02-11 — Vulnerability Discovered

Independent researcher Shaheen Fazim discovers the use-after-free vulnerability in CSSFontFeatureValuesMap during Chrome 145 testing. Responsible disclosure initiated with Google.

2026-02-13 — Emergency Patch Released

Google releases Chrome 145.0.7632.75 and 145.0.7632.76 as emergency security updates. The patch fixes the CSSFontFeatureValuesMap use-after-free.

2026-02-14 — CISA KEV Addition

CISA adds CVE-2026-2441 to Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation.

2026-02-14 — Post-Patch Exploitation Continues

Unpatched Chrome users who have not restarted browsers or have auto-update disabled remain vulnerable to active exploitation campaigns.

Remediation & Mitigation

Update Chrome to version 145.0.7632.75 or later on all systems immediately. Verify patch deployment across organizational fleet using endpoint management tools. Deploy Chrome updates through Group Policy, MDM, or Google Update for Enterprise rather than relying on individual users.

Implement conditional access policies requiring MFA for sensitive system access to reduce impact of stolen session tokens. Rotate API keys, OAuth tokens, and SSH keys that may have been exposed if users’ browsers were compromised before patching. Use short-lived tokens (minutes to hours) rather than long-lived credentials in browser-accessible environments.

Monitor for unusual sign-in activity to internal systems and cloud services. Review API access logs for unusual activity patterns. Implement browser isolation technology for high-risk users to run untrusted websites in isolated environments. Restrict Chrome extensions through enterprise policy, allowing only approved extensions from verified vendors.

Sources & References

Google Chrome Releases: Stable Channel Update for Desktop — February 13, 2026 — Google, 2026-02-13
NVD: CVE-2026-2441 Detail — National Vulnerability Database, 2026-02-13
CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-02-14
The Hacker News: Chrome CVE-2026-2441 Zero-Day Actively Exploited — The Hacker News, 2026-02-13
Malwarebytes: CVE-2026-2441 Technical Breakdown — Malwarebytes, 2026-02-14