{“lastseen”:”2026-02-17T14:23:16″,”description”:”Google has issued a patch for a high\u2011severity Chrome zero\u2011day, tracked as CVE\u20112026\u20112441, a memory bug in how the browser handles certain font features that attackers are already exploiting.\\n\\nCVE-2026-2441 has the questionable honor of being the first Chrome zero-day of 2026. Google considered it serious enough to issue a separate update of the stable channel for it, rather than wait for the next major release.\\n\\n## How to update Chrome\\n\\nThe latest version number is **145.0.7632.75\/76** for Windows and macOS, and ****145.0.7632.** 75** for Linux. So, if your Chrome is on version ****145.0.7632****.**75 or later,** it\u2019s protected from these vulnerabilities.\\n\\nThe easiest way to update is to allow Chrome to update automatically. But you can end up lagging behind if you never close your browser or if something goes wrong, such as an extension preventing the update.\\n\\nTo update manually, click the **More** menu (three dots), then go to **Settings** \\u003e **About Chrome**. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you\u2019ll be protected against these vulnerabilities.\\n\\nChrome at version 145.0.7632.76 is up to date\\n\\nYou can also find step-by-step instructions in our guide to how to update Chrome on every operating system.\\n\\n## Technical details\\n\\nGoogle confirms it has seen active exploitation but is not sharing who is being targeted, how often, or detailed indicators yet.\\n\\nBut we can derive some information from what we know.\\n\\nThe vulnerability is a use\u2011after\u2011free issue in Chrome\u2019s CSS font feature handling (CSSFontFeatureValuesMap), which is part of how websites display and style text. More specifically: The root cause is an iterator invalidation bug. Chrome would loop over a set of font feature values while also changing that set, leaving the loop pointing at stale data until an attacker managed to turn that into code execution.\\n\\nUse-after-free (UAF) is a type of software vulnerability where a program attempts to access a memory location after it has been freed. That can lead to crashes or, in some cases, lets an attacker run their own code.\\n\\nThe CVE-record says, \\”Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\\” (Chromium security severity: High)\\n\\nThis means an attacker would be able to create a special website, or other HTML content that would run code inside the Chrome browser\u2019s sandbox.\\n\\nChrome\u2019s sandbox is like a secure box around each website tab. Even if something inside the tab goes rogue, it should be confined and not able to tamper with the rest of your system. It limits what website code can touch in terms of files, devices, and other apps, so a browser bug ideally only gives an attacker a foothold in that restricted environment, not full control of the machine.\\n\\nRunning arbitrary code inside the sandbox is still dangerous because the attacker effectively \u201cbecomes\u201d that browser tab. They can see and modify anything the tab can access. Even without escaping to the operating system, this is enough to steal accounts, plant backdoors in cloud services, or reroute sensitive traffic.\\n\\nIf chained with a vulnerability that allows a process to escape the sandbox, an attacker can move laterally, install malware, or encrypt files, as with any other full system compromise.\\n\\n## How to stay safe\\n\\nTo protect your device against attacks exploiting this vulnerability, you\u2019re strongly advised to update as soon as possible. Here are some more tips to avoid becoming a victim, even before a zero-day is patched:\\n\\n * Don\u2019t click on unsolicited links in emails, messages, unknown websites, or on social media.\\n * Enable automatic updates and restart regularly. Many users leave browsers open for days, which delays protection even if the update is downloaded in the background.\\n * Use an up-to-date, real-time anti-malware solution which includes a web protection component.\\n\\n\\n\\nUsers of other Chromium-based browsers can expect to see a similar update.\\n\\n* * *\\n\\n**We don ‘t just report on threats\u2014we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.”,”published”:”2026-02-17T12:33:13″,”modified”:”2026-02-17T12:33:13″,”type”:”malwarebytes”,”title”:”Update Chrome now: Zero-day bug allows code execution via malicious webpages”,”source”:””,”references”:””,”id”:”MALWAREBYTES:C2E33000C9FCA2DB9DA991844B820AC2″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2026-2441″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/update-chrome-now-zero-day-bug-allows-code-execution-via-malicious-webpages”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-17T14:23:16″,”description”:”Google has issued a patch for a high\u2011severity Chrome zero\u2011day, tracked as CVE\u20112026\u20112441, a memory bug in how the browser handles certain font features that…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,41,12,15,115,13,7,11,5],"class_list":["post-41109","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-malwarebytes","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n