CVE-2026-2441

CVSS 8.8 HIGHEPSS 22.0%● KEVCWE-416

In short

Google Chrome had a flaw in its CSS handling that allowed attackers to run malicious code within the browser's sandbox by tricking users into opening a specially crafted webpage. This could let attackers take control of your browser session and steal sensitive data.

Technical detail

A use-after-free vulnerability in Chrome's CSS parser prior to version 145.0.7632.75 enables remote code execution within the sandbox through a malicious HTML page. The vulnerability is triggered when a crafted webpage causes CSS processing to reference memory that has already been freed, allowing an attacker with no special privileges to execute arbitrary code within the renderer process sandbox.

Summary generated and translated by AI from the official description.

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Google · Chrome

public PoCs found — 4

githubgithub.com/fartlover37/CVE-2026-2441-PoC★ 1 githubgithub.com/MartinaStarone/CVE-2026-2441★ 0 cve_referencegithub.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.htmlunverified exploitdbwww.exploit-db.com/exploits/52542unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html https://issues.chromium.org/issues/483569511 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441