Google has released emergency updates to fix a high-severity zero-day vulnerability in its Chrome web browser that has already been exploited in the wild by threat actors. This marks the first actively exploited Chrome zero-day patched so far in 2026 — highlighting the continuing risk of browser-based security flaws and the importance of immediate patching.

What’s Happening

On February 16, 2026, Google issued an urgent Chrome update addressing a zero-day vulnerability tracked as CVE-2026-2441. The company confirmed that an exploit for this flaw exists in the wild, meaning attackers have been leveraging the bug before most users were patched.

The issue is a use-after-free vulnerability in Chrome’s CSS rendering component (specifically, the CSSFontFeatureValuesMap). When triggered via a specially crafted webpage, the flaw allows remote attackers to execute arbitrary code inside the browser’s security sandbox — potentially leading to crashes, unexpected behavior, or further exploitation.

While Google has not disclosed details about specific attack campaigns or targeted victims, it stated that technical specifics remain restricted until most users have applied the fix to avoid aiding other threat actors.

Affected Users

Chrome’s emergency patch is being rolled out across platforms:

If you use Chrome on these devices, ensure your browser has been updated to the above versions or later. Chrome normally updates automatically, but you can force the update by navigating to Menu → Help → About Google Chrome and relaunching the browser.

Why This Matters

• High Severity: The vulnerability carries a high severity score and allows code execution from a remote webpage.

• Actively Exploited: This is the first actively exploited Chrome zero-day patched in 2026, underlining how quickly attackers leverage newly discovered flaws.

• Browser Ubiquity: Chrome is one of the most widely used browsers worldwide — making any zero-day in it a critical threat vector for users on corporate networks and personal devices alike.

This also follows a year — 2025 — in which Google addressed eight other zero-day vulnerabilities that were actively abused in the wild across various attacks.

What You Should Do

• Update Immediately: Ensure Chrome is up to date on all your devices with the patched versions listed above.

• Restart the Browser: Even if automatic updates are enabled, restarting Chrome can ensure any pending patch is applied.

• For Managed Environments: Administrators should push out the updated versions via their patch management systems to all endpoints.

• Monitor Threat Intel: Stay tuned to security advisories from Google and industry partners for any additional details as they emerge.

Bottom Line

This Chrome zero-day patch underscores the persistent threat posed by browser vulnerabilities — especially those exploited before most users receive fixes. Immediate updating and consistent patch management remain critical defenses against in-the-wild exploitation of such serious flaws.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.