Google has released an urgent security update for its Chrome web browser to address a critical vulnerability that is already being exploited by attackers. The update, issued on Friday, February 14, 2026, patches a high-severity flaw that could allow malicious actors to take control of affected systems.
The vulnerability, identified as CVE-2026-2441, carries a CVSS severity score of 8.8 out of 10. It is classified as a “use-after-free” bug within the browser’s CSS, or Cascading Style Sheets, component. This type of memory corruption flaw can enable remote code execution if successfully exploited.
Discovery and Immediate Response
Security researcher Shaheen Fazim discovered and reported the security shortcoming to Google on February 11, 2026. The company’s security team confirmed that the flaw was being actively exploited “in the wild” before a patch was available, prompting the out-of-cycle update.
Google’s advisory stated the update is rolling out to the stable desktop channel for Windows, Mac, and Linux users. The patched versions are 132.0.6834.83 for Windows and Mac, and 132.0.6834.84 for Linux. The company typically does not disclose specific details about vulnerabilities until a majority of users have updated, to prevent further exploitation.
Understanding the Threat
A use-after-free vulnerability occurs when a program continues to use a pointer to a memory location after it has been freed or deallocated. This can corrupt valid data and allow an attacker to execute arbitrary code on the target machine. In the context of a web browser, such flaws are often exploited by luring users to a specially crafted malicious website.
Given that the flaw resides in the CSS engine, exploitation could be triggered through manipulated web pages or advertisements. Successful exploitation could lead to a complete compromise of the browser and potentially the underlying operating system, depending on the user’s privileges and system configuration.
User Action Required
Chrome users are strongly advised to ensure their browser is updated immediately. The browser typically updates automatically when it is closed and reopened. Users can manually check for updates by navigating to the “Help” menu and selecting “About Google Chrome.” The browser will then check for and install any available updates.
This marks the first zero-day vulnerability patched in Chrome for the 2026 calendar year. A zero-day refers to a software vulnerability that is exploited by attackers before the vendor has released a fix for it. The rapid exploitation underscores the ongoing targeting of widely used software platforms like Chrome, which boasts over three billion users globally.
Broader Security Context
The patching of this flaw follows a consistent pattern of frequent security updates for major browsers. Google, along with other browser vendors like Mozilla and Microsoft, maintains a continuous cycle of identifying and fixing vulnerabilities through internal audits and external bug bounty programs.
Security experts routinely recommend keeping all software, especially web browsers and operating systems, updated to the latest versions as a primary defense against such threats. Using additional security measures, such as enabling enhanced protection modes within browsers, can provide further mitigation against novel exploits.
Organizations managing large fleets of Chrome browsers are advised to push the update through their standard enterprise deployment channels without delay. System administrators should verify that the new version is installed across all endpoints to close the security gap.
Looking ahead, users and organizations should expect Google to provide more detailed technical information about CVE-2026-2441 in the coming weeks, once widespread deployment of the patch is confirmed. Further analysis by independent security researchers will likely follow, shedding light on the exploit methods used by attackers. The Chrome security team continues to investigate whether this vulnerability affects other Chromium-based browsers, such as Microsoft Edge and Opera, which typically adopt these core security fixes.
Source: Google Chrome Releases Blog
