Chrome's First Zero-Day of 2026: A CSS Bug That Lets Attackers Run Code From a Webpage
What Happened
Google released an emergency update for Chrome on February 15, 2026, patching a high-severity zero-day vulnerability that was already being exploited in the wild. The flaw, tracked as CVE-2026-2441 (CVSS 8.8), is a use-after-free bug in Chrome's CSS engine that allows remote code execution through a crafted webpage.
In plain language: an attacker could build a malicious webpage that, when visited in Chrome, executes code inside the browser's sandbox. No clicks required beyond visiting the page.
This is Chrome's first actively exploited zero-day of 2026.
The Technical Details
CVE-2026-2441 targets the interaction between CSS @property registration and paint() worklet initialization on Chrome's compositor thread.
Here's what that means in practical terms:
- CSS
@propertylets developers define custom CSS properties with types and defaults - CSS
paint()worklets allow custom rendering logic on the compositor thread - The vulnerability exploits a race condition between registering a custom property and initializing a paint worklet — when timed correctly, this creates a use-after-free condition where the compositor accesses memory that has already been freed
A use-after-free in the compositor thread is particularly dangerous because:
- The compositor handles rendering and runs with relatively high privileges within Chrome's process architecture
- It processes visual data from every webpage, making it a high-value target
- Successful exploitation can lead to code execution within the renderer sandbox
While Chrome's sandbox should limit the blast radius, use-after-free bugs are a common stepping stone for sandbox escape chains — where one exploit breaks into the sandbox, and a second exploit breaks out of it.
Who Found It
Security researcher Shaheen Fazim discovered and reported the vulnerability to Google on February 11, 2026. Google confirmed active exploitation just four days later and shipped the patch.
Google hasn't disclosed who was exploiting this, how widespread the attacks were, or who was targeted. This is standard practice — Google typically withholds exploitation details until a majority of users have updated.
What You Need to Do
Update Chrome Immediately
Patched versions:
- Windows/macOS: 145.0.7632.75 or 145.0.7632.76
- Linux: 145.0.7632.75
To check your version: chrome://settings/help
Chrome auto-updates, but auto-update isn't instant. If you haven't restarted Chrome recently, you might still be running a vulnerable version.
If You Build Web Applications
This vulnerability is in the browser, not in your code. But it's a reminder of a few things:
- Content Security Policy matters — A strong CSP can limit what an attacker can do even if they achieve code execution through a browser bug
- Subresource Integrity (SRI) — If you're loading third-party CSS or JS, SRI ensures it hasn't been tampered with
- Paint worklets are powerful — If you're using the CSS Paint API (
CSS.paintWorklet), be aware that this is a complex browser subsystem with a history of bugs
If You Manage Infrastructure
- Force browser updates across your fleet — Don't assume auto-update is enough
- Monitor for exploit indicators — While specific IoCs haven't been published, watch for unusual crashes or renderer process behavior in Chrome logs
- Consider browser isolation — For high-risk environments, browser isolation solutions can contain the impact of renderer exploits
The Bigger Picture
Use-after-free vulnerabilities in browsers are not new. They're one of the most common classes of browser security bugs and have been the entry point for some of the most sophisticated attack chains in recent years.
What's notable about CVE-2026-2441 is the attack surface: CSS. Not JavaScript. Not WebAssembly. Not a media codec. The styling engine — something every single webpage uses — had an exploitable memory corruption bug.
This reinforces a reality that security teams have been dealing with for years: the browser is the most exposed piece of software on any machine. Every feature, every API, every rendering path is a potential attack surface. And attackers are finding bugs in places most developers wouldn't think to look.
Google's four-day turnaround from report to patch is impressive. But the fact that it was already being exploited when reported means the attackers found it first.
Sources
- New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released — The Hacker News
- Update Chrome now: Zero-day bug allows code execution via malicious webpages — Malwarebytes
- Google fixes exploited Chrome CSS zero-day — The Register
- CVE-2026-2441 Explained: CSS Zero-Day Browser Security — SitePoint
- Chrome 145 update fixes critical CVE-2026-2441 zero-day vulnerability — NotebookCheck