PoC Released for Critical Chrome CVE-2026-2441 Zero-Day Exploited in the Wild
2 min. read 
Published on
A public proof-of-concept exploit targets CVE-2026-2441, a critical use-after-free zero-day in Chrome’s Blink CSS engine. Google confirms active in-the-wild exploitation. Security researcher Shaheen Fazim reported it on February 11, 2026. Google patched two days later in emergency versions.
The flaw lives in CSSFontFeatureValuesMap. An iterator holds a raw pointer to FontFeatureAliases HashMap. Mutations during iteration trigger rehashing. This frees old memory while the pointer dangles. FetchNextItem reads freed heap, causing crashes or code execution.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Chrome’s first 2026 zero-day affects renderer process. Sandbox limits damage initially. Attackers chain it for escapes. PoC shows three trigger paths. Heap grooming with @font-feature-values rules aids reliability.
Affected Versions Table
| Platform | Vulnerable Versions | Fixed Versions |
|---|---|---|
| Windows/macOS Stable | < 145.0.7632.75 | ≥ 145.0.7632.75 |
| Linux Stable | < 144.0.7559.75 | ≥ 144.0.7559.75 |
| Extended Stable | < 144.0.7559.177 | ≥ 144.0.7559.177 |
| Chromium-based | Vendor-specific | Check vendor patches |
Update via chrome://settings/help immediately.
PoC Trigger Methods
| Method | Technique |
|---|---|
| entries() Iterator | Mutation loop during iteration |
| for…of Loop | Concurrent delete + heap spray |
| requestAnimationFrame | Layout recalc mid-iteration |
50 @font-feature-values rules groom heap layout.
Technical Root Cause
FontFeatureValuesMapIterationSource stores raw pointer aliases_.
set() or delete() calls HashMap::rehash().
Old storage frees. Iterator uses stale pointer.
FetchNextItem() triggers UAF on Windows STATUS_ACCESS_VIOLATION.
Google fix: Deep copy HashMap for iterator isolation.
Impact Breakdown
Renderer sandbox confines effects:
- Arbitrary read/write in sandbox.
- V8 heap leaks bypass ASLR.
- Steal document.cookie, localStorage.
- Session tokens via IndexedDB.
Chains to full compromise like Pegasus WebKit attacks.
Delivery Vectors
No user interaction beyond page visit:
- Malvertising on legit sites.
- Watering hole compromises.
- Spear-phishing HTML attachments.
- Compromised WordPress plugins.
Detection Signatures
Monitor renderer crashes:
- SIGSEGV in Blink CSS parsing.
- High CSS @font-feature-values rule counts.
- Heap allocation spikes during layout.
Chrome status: chrome://crashes shows UAF patterns.
Patch Verification Steps
- Navigate chrome://settings/help.
- Confirm version ≥ 145.0.7632.75 (Win/macOS).
- Enable Site Isolation: chrome://flags/#site-isolation-trial-opt-out.
- Test PoC page crashes on fixed builds.
Enterprise: Deploy WSUS/GPO for auto-updates.
Risk by Browser Family
| Browser | Risk Level | Patch Status |
|---|---|---|
| Chrome | High | Available |
| Edge | High | Check Microsoft |
| Brave | High | Available |
| Opera/Vivaldi | High | Vendor patches |
3 billion+ users affected potentially.
FAQ
Iterator raw pointer dangles after HashMap rehash during mutation.
145.0.7632.75+ (Win/macOS), 144.0.7559.75+ (Linux).
Yes, Google confirms active wild exploitation.
Contains renderer RCE. Chains needed for escape.
GitHub demonstrates safe crash reproduction.
Added to KEV catalog requiring immediate action.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages