Chrome urgent alert emergency patch to active exploitation of CVE 2026 2441

Google launched an update for Chrome in emergency mode after detecting that a high-gravity vulnerability - recorded as CVE-2026-2441- was already being actively exploited. The company confirmed this in its official notice for the stable desk branch, where it warns that there is an explosion "in nature" and recommends that users install the patch as soon as possible to reduce the risk. You can read the original release on the Chrome Releases blog: chromerease.googleblog.com.

The technical problem behind this correction is a typical "use-after-free" type failure derived from the invalidation of an iterator within the implementation of the values of typographic characteristics in CSS (CSSFontFeatureValuesMap). In simple terms, this is a condition in which the browser continues to try to use a portion of memory that has already been released, which can lead to foreign graphic failures and behaviors to data corruption or the execution of unwanted code if an attacker takes advantage of vulnerability.

The theoretical details of the failure appear in the Chromium project's commitment history and the associated ticket that continues to work on the issue. The patch covers the immediate problem but developers point to related pending tasks in Chromium's bug tracker: crbug.com / 483936078. This record suggests that some corrections have been applied on time and that additional work may be left to address possible side effects or related conditions.

One sign of the gravity perceived by Google is that the correction was "cherry-picked" - that is, back cover - to the stable version rather than waiting for the next major release. This practice is used when an error represents a real risk and should be achieved to most users as soon as possible.

The versions that are receiving the update on the stable desktop branch are as follows: Windows and macOS with versions 145.0.7632.75 / 76 and Linux with 144.0.7559.75. If you want to check and apply the update manually, open Chrome, go to "Help" > "Google Chrome Information" and let the browser download and install the new version; Google explains the process on its support page: support.google.com. If you prefer the automatic track, Chrome usually install updates when restart the browser.

Google has not yet provided specific details on who or how this vulnerability has been exploited in practice; the company often limits the disclosure of technical information until most users receive the correction, to prevent malicious actors from reusing the details for additional campaigns. This policy also applies when the failure is in a third-party library and other projects have not yet published their own solutions.

This patch is remarkable because, although over the past year Google corrected several zero-day vulnerabilities used in real attacks (many detected by its Threat Analysis Group), up to 2026 there had been no active operation correction in Chrome. If you want to know more about the work done by Google's threat analysis team, your blog is a good reference: blog.google / amenat-analys-group.

What should you do now? The most practical and effective thing is to update Chrome as soon as possible and make sure that automatic updates are active. If for any reason you cannot update immediately, avoid opening links or downloading content from doubtful origins and, in corporate environments, coordinate with your IT team to centrally deploy the patch. Other Chromium-based browsers should also be kept up to date, as some projects share components and may need their own patches.

In short, it is a further reminder that browsers remain a preferred target for attackers: they are the gateway to our accounts, passwords and personal data. Updating now is the best defense and the combination of fast patches, official source monitoring and basic safe navigation practices significantly reduces the risk.