Google Urges Chrome Users to Update Immediately After Patching First Zero-Day Exploit of 2026

Google has released an urgent security update for its Chrome browser to address a high-severity zero-day vulnerability actively exploited in the wild, marking the first such flaw patched in 2026.

The vulnerability, tracked as CVE-2026-2441 and assigned a CVSS severity score of 8.8, is a use-after-free bug in Chrome’s CSS handling. It allows a remote attacker to execute arbitrary code inside the browser’s sandbox via a specially crafted HTML page, potentially leading to full compromise of affected systems if combined with other exploits.

Google confirmed the flaw was discovered and reported by security researcher Shaheen Fazim on Feb. 11, 2026. The company acknowledged that exploits for CVE-2026-2441 exist in the wild but provided no further details on the nature of attacks, affected victims or the threat actors involved.

The patch arrived in a Stable channel update released Feb. 13, 2026. Updated versions include:

• Windows and macOS: 145.0.7632.75/76 (with later point releases up to 145.0.7632.77 as of Feb. 18-19)
• Linux: 144.0.7559.75 (with subsequent builds reaching 145.0.7632.109 in some logs)

More recent Android and iOS releases align with Chrome 145.0.7632.109 and 145.0.7632.108, respectively, incorporating equivalent security fixes. Extended Stable channel users received updates to 144.0.7559.220.

Google’s Chrome Releases blog emphasized that the update “will roll out over the coming days/weeks,” a standard phased deployment to minimize disruptions. Cybersecurity experts and outlets including Forbes, The Hacker News, Malwarebytes and BleepingComputer urged users not to wait for automatic rollout.

To check and install the update manually, users should open Chrome, click the three-dot menu, navigate to Help > About Google Chrome, and allow the browser to download and apply any available patches. A relaunch is typically required to activate the fix.

This zero-day follows a pattern of rapid browser vulnerabilities in early 2026. Industry analysts note that use-after-free errors in rendering engines like Blink (Chrome’s core) remain common attack vectors due to the complexity of CSS and font processing.

Experts recommend restarting Chrome after updating to ensure the patched version loads. Users on outdated builds remain vulnerable until the update applies and the browser restarts.

Beyond the security fix, Chrome 145 introduced several enhancements. Developer notes highlight reduced User-Agent strings by default following the removal of the UserAgentReduction policy, improving privacy by limiting fingerprinting data sent to websites. Other changes include stability improvements, performance optimizations and under-the-hood updates to PDFium and other components.

Chrome maintains its position as the world’s most popular browser, powering billions of users across desktops, mobiles and enterprise environments. The rapid response to CVE-2026-2441 underscores Google’s commitment to timely patching, especially for actively exploited issues.

No additional vulnerabilities were detailed in the Feb. 13 advisory, though ongoing internal tracking suggests potential follow-up fixes. Google restricts full bug details until widespread patching occurs, a practice aimed at reducing exploitation risks.

Cybersecurity professionals advise enabling automatic updates where possible and exercising caution with unknown websites or links. Organizations using Chrome Enterprise or Education editions should monitor admin consoles for rollout status.

As threats evolve, browser updates remain a critical layer of defense. Users are encouraged to verify their version immediately—navigate to chrome://version in the address bar—to confirm protection against CVE-2026-2441.

Google continues to invest in sandboxing, site isolation and other mitigations to limit damage from potential exploits. This incident serves as a reminder of the ongoing cat-and-mouse game between browser developers and adversaries targeting web platforms.

With millions potentially at risk before full deployment, the message is clear: Update Chrome now to stay secure.