Google Patches its First Zero-day Vulnerability of the Year (CVE-2026-2441)

Google released a security advisory to address a high-severity zero-day vulnerability in Chrome. Tracked as CVE-2026-2441, the vulnerability is being exploited in the wild.

The vulnerability is a use-after-free flaw in the CSS browser’s CSS handling. An independent researcher, Shaheen Fazim, discovered and reported the vulnerability to Google on February 11, 2026.

Use-after-free flaws often stem from improper object lifecycle management in rendering engines, allowing freed memory to be accessed after deallocation.

Affected Versions

The vulnerability affects Google Chrome versions before 145.0.7632.75/76.

Mitigation

Customers must upgrade to the latest stable channel version 145.0.7632.75/76 for Windows/Mac and 144.0.7559.75 for Linux.

For more information, please refer to the Google Chrome Release Page.

Qualys Detection

Qualys customers can scan their devices with QID 386573 to detect vulnerable assets.

Rapid Response with TruRisk Eliminate

Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html