Overview
- On Feb. 23, a researcher published fresh exploit code and a detailed write‑up for CVE-2026-2441, demonstrating reliable triggers against vulnerable Blink CSS code.
- Google fixed the flaw on Feb. 13 with emergency Chrome updates to 145.0.7632.75/76 on Windows and macOS and 144.0.7559.75 on Linux after confirming active exploitation.
- The bug is an iterator‑invalidation use‑after‑free in CSSFontFeatureValuesMap that attackers can trigger via @font-feature-values, enabling drive‑by code execution in the renderer.
- Unpatched Chromium‑based browsers, including Edge, Brave, Opera and others before their equivalent updates, are affected, while Firefox and Safari are not impacted by this issue.
- CISA added the CVE to its Known Exploited Vulnerabilities catalog on Feb. 17 with a March 10 deadline, and advisories urge immediate updates plus defense‑in‑depth such as strict CSP and sandboxing.