5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-2441 is a high-severity use-after-free vulnerability in the CSS component of Google Chrome caused by improper memory handling. A remote attacker can exploit this flaw by convincing a user to visit a specially crafted web page, leading to arbitrary code execution within the browser context. This vulnerability is actively exploited in the wild and poses significant risk to unpatched systems, particularly in enterprise environments where browser access is widespread.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Use-After-Free in Google Chrome CSS Component Leading to Code Execution
CVSS Score: 8.3 (High)
Identifier: CVE-2026-2441
Exploit or POC: CVE-2026-2441 is confirmed to be actively exploited in the wild.
Update:
Google released fixes for CVE-2026-2441 in a Stable Channel update for Google Chrome. Users and organizations should update Chrome immediately and restart the browser to ensure the fix is applied.
Fixed versions include:
Google Chrome 145.0.7632.75 and later on Windows and macOS
Corresponding Stable Channel versions on Linux as referenced in Google's release notes
Official Google release information:
Description:
CVE-2026-2441 is a use-after-free vulnerability (CWE-416) in the CSS component of Google Chrome. By exploiting improper memory handling, a remote attacker can execute arbitrary code by convincing a victim to load a malicious web page
Mitigation Recommendation:
Immediately update Google Chrome to the latest Stable Channel version and enforce browser restarts to complete patching.
In enterprise environments, enforce automatic browser updates and verify version compliance across endpoints.
