Exploited in the Wild & PoC Disclosed: Emergency Chrome Zero-Day (CVE-2026-2441) Patched

Google has been forced to push emergency updates to billions of users following the discovery of a high-severity, actively exploited vulnerability in its Chrome browser. Marking the first zero-day flaw patched this year, the situation has escalated rapidly as full technical details and functional Proof-of-Concept (PoC) exploit code have now been published for anyone to see.

“Google is aware that an exploit for CVE-2026-2441 exists in the wild,” the tech giant confirmed in a security advisory issued late last Friday.

While Google has kept its own incident reports close to the chest, security researcher Hüseyin TINTAŞ recently published an extensive technical breakdown alongside ready-to-use exploit code on GitHub.

The vulnerability, originally reported by researcher Shaheen Fazim, is classified as a “use-after-free” (UAF) bug rooted in an iterator invalidation issue.

The flaw exists within the CSSFontFeatureValuesMap, the engine Chrome uses to implement CSS font feature values. According to the technical details released by TINTAŞ, the root cause lies in how the browser manages memory while iterating over font features.

“FontFeatureValues MapIterationSource stored a raw pointer (const FontFeatureAliases* aliases_) to the internal FontFeatureAliases HashMap,” the technical write-up explains.

The attack works by interrupting this process. If an attacker’s script calls map.set() or map.delete() while the browser is still iterating through the map, the underlying HashMap is forced to rehash and allocate new storage.

Because the iterator still holds onto the raw aliases_ pointer, that pointer instantly becomes a “dangling pointer” pointing to freed memory. The next time the browser attempts to fetch an item, it triggers the catastrophic use-after-free state.

The public PoC demonstrates just how versatile this flaw is, highlighting three distinct methods to trigger the memory corruption:

• Method 1: Utilizing the entries() Iterator combined with a Mutation Loop.
• Method 2: Employing a for… of loop with Concurrent Mutation.
• Method 3: Abusing requestAnimationFrame to force a Layout Recalculation.

Successful exploitation can allow attackers to trigger browser crashes, rendering issues, data corruption, or other undefined behavior, which often paves the way for remote code execution.

To patch this zero-day, Google developers altered how the memory is referenced. “The fix replaces the raw pointer with a deep copy of the HashMap,” the commit history reveals. “Even if the original map rehashes, the iterator operates on its own copy, preventing the dangling pointer”.

With the exploit code now widely available and confirmed in-the-wild attacks ongoing, applying the emergency update is critical. Google has released the fix to the Stable Desktop channel. Users should verify their browsers are updated to:

• Windows and macOS: version 145.0.7632.75/76.
• Linux: version 144.0.7559.75.

Related Posts:

• CISA Adds 2008 Windows Flaw & Chrome Zero-Day to KEV
• PoC Released for Linux Kernel Escalates Privileges Flaw
• Emergency Chrome Update: Google Patches New Zero-Day Under Active Attack
• Urgent: Linux Kernel Flaw Allows Remote Crash, PoC Available!