Google patched a high-severity Chrome zero-day, CVE-2026-2441, that was actively exploited in the wild, fixing a use-after-free bug in CSSFontFeatureValuesMap that could allow remote code execution via a crafted HTML page.

The flaw, reported by security researcher Shaheen Fazim on February 11, 2026, affects Chrome and could lead to browser crashes, rendering issues, data corruption, or undefined behavior if exploited.

Users and organizations should apply the updates promptly to prevent potential compromises from unpatched browsers.

The advisory highlights broader ecosystem risks, including Chrome extensions siphoning user data, underscoring security concerns beyond the core software flaw.

The urgency to update is stressed amid an ongoing threat from actively exploited vulnerabilities in widely used software.

The incident reinforces that browser-based flaws remain a major attack vector given their widespread deployment.

Other Chromium-based browsers, including Edge, Brave, Opera, and Vivaldi, should apply fixes as they become available.

The issue affects Chromium-based browsers beyond Chrome, so users of those browsers should install updates when available.

In related Apple updates, a separate zero-day (CVE-2026-20700, CVSS 7.8) affecting iOS and other platforms was addressed amid targeted attacks.

A related use-after-free vulnerability in the same CSS processing component had been fixed a day earlier, flagged by researchers.

Exploitation could steal data from the browser or hijack sessions and enable further attacks, though a full system takeover would require escaping the sandbox.

In the same week, Chrome 145 development build was released, fixing three high-risk and eight lower-risk vulnerabilities as part of ongoing security improvements.