Hackers Are Actively Exploiting a New Chrome Zero-Day. Here's What You Need to Know
A flaw in Chrome's CSS engine is being exploited right now — and millions of users are sitting ducks until they update.
If You Haven't Updated Chrome Today, This Is Your Warning
Google just confirmed it. A zero-day vulnerability in Chrome is being exploited in the wild — and if you haven't updated your browser, attackers could already be targeting you.
What Happened?
On February 13, 2026, Google pushed an emergency security update for Chrome after confirming that a critical flaw, tracked as CVE-2026-2441, had been found actively exploited. The vulnerability carries a CVSS score of 8.8 out of 10 — classified as high severity.
Security researcher Shaheen Fazim discovered and reported the flaw on February 11, just two days before Google shipped the fix. That's a fast turnaround, but attackers were already moving.
The bug itself is a use-after-free vulnerability in Chrome's CSS engine. In plain terms: a flaw in how Chrome handles certain memory operations related to CSS. When exploited, it lets a remote attacker run arbitrary code inside Chrome's sandbox — all through a maliciously crafted HTML page. You visit the wrong link, and that's the door in.
Google has not disclosed who is behind the attacks or who the targets are. What they did confirm, through their official Stable Channel update post, is that an exploit exists in the wild. That's enough.
This is Chrome's first actively exploited zero-day of 2026. In 2025, Google patched eight such flaws across the year — some exploited, some demonstrated as proof-of-concept attacks.
What's the Impact?
Chrome is installed on roughly 65% of desktop browsers globally. That attack surface is enormous, and that's exactly why browser vulnerabilities are a go-to for malicious actors. A single booby-trapped webpage is all it takes.
The sandbox bypass is the part worth paying attention to. Chrome's sandbox is supposed to contain damage — it limits what a compromised process can do. A use-after-free bug that can punch through the sandbox means attackers can reach further into the affected system than they should be able to.
This also matters beyond Chrome users. Browsers built on Chromium — Microsoft Edge, Brave, Opera, Vivaldi — share much of the same codebase. Until those vendors ship their own updates, users on those browsers are running with the same underlying vulnerability.
One more thing: the turnaround between discovery (February 11) and active exploitation tells you how fast threat actors move. There's often no grace period.
How to Avoid This
Update Chrome — right now, before you do anything else.
The patched versions are 145.0.7632.75 or 145.0.7632.76 for Windows and macOS, and 144.0.7559.75 for Linux. To check which version you're running: open Chrome, click the three-dot menu in the top right, go to Help → About Google Chrome. The browser will check for updates automatically. Hit Relaunch to apply.
If you're on Microsoft Edge, Brave, Opera, or Vivaldi, watch for updates from those vendors — and install them as soon as they drop. In the meantime, be cautious about clicking unfamiliar links, especially from emails or messages.
No patch fixes careless browsing. Keep that in mind too.
