Threat actors now have the ability to exploit a new zero-day vulnerability in the Chrome browser, Google has advised IT administrators.
The warning comes after Google released a patch for Chrome to plug a use after free memory vulnerability (CVE-2026-2441) in cascading style sheets (CSS), which means the browser’s CSS engine isn’t properly managing memory and can be exploited by a hacker.
If not patched, it allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. The vulnerability is rated at High in severity.
At risk are Windows and Mac Chrome browsers prior to 145.0.7632.75/76, and prior to 144.0.7559.75 for Linux.
“Google is aware that an exploit for CVE-2026-2441 exists in the wild,” the warning adds.
Details about the hole are scarce. Google says access to bug details and links may be restricted until a majority of users are updated with a fix. It will also maintain the restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
Gene Moody, field CTO at Action1, explained that, in this vulnerability, a browser frees an object, but later continues to use the stale reference memory location. Any attacker who can shape heap layout with controlled content can potentially replace the contents of that freed memory with data they control. Because this lives in the renderer, and is reachable through normal page content, he said, the trigger surface is almost absolute.
“In practical terms,” he added, “a vulnerable user simply visiting a malicious page could be enough to effectively trigger the bug.”
Hunting for and exploiting browser vulnerabilities is a popular tool for threat actors. That’s because browsers are often an entry point to enterprises, particularly in an era of cloud applications. Browsers not only access corporate data, they hold sensitive information such as login credentials and personal data stored to autofill forms.
Usually, browsers ship with auto patch installation enabled by default. Some CSOs/CIOs, however, may prefer manual installation, so patches can be tested for compatibility with enterprise applications before installation.
Johannes Ullrich, dean of research at the SANS Institute, said this is just the most recent Chrome 0-day to be discovered, and, based on history, there are probably many others already in use that have not been discovered or patched yet.
“Having a solid endpoint monitoring program in place can mitigate some of this risk,” he said. For enterprise administrators, Google offers Chrome Enterprise Core, which adds the instrumentation necessary to monitor browser versions and release upgrades. Chrome Enterprise Core also adds central management for extensions. Malicious extensions are often a larger problem than 0-days.”
Browsers are highly complex programs that support a large number of technologies, he added, and include some legacy standards with limited current support.
“The open-source Chromium browser codebase includes about 36 million lines of code,” he pointed out. “A large project like this is bound to include vulnerabilities. Google has used a number of automated tools to continuously reduce the number of vulnerabilities, but adversaries do the same, and sometimes find bugs that Google has not yet found or not yet gotten around to patching proactively.”
Browser zero days are never good, because it’s trivial for criminals to use poisoned ads to try to steer victims with vulnerable browsers to websites containing malicious code, said David Shipley, head of Canadian security awareness training provider Beauceron Security.
“In this case, it looks like this is only a partial fix for the vulnerability in progress, and Google is being a bit tight-lipped about how bad this bug was, and all the things it could be used for beyond crashing the browser and corrupting data. But given there are exploits in the wild, and Google says it’s waiting until the majority of users are patched before getting into more details, there’s clearly something more interesting behind this one.”
Getting fixes to enterprise browsers is still not as easy as it should be, he added, and usually involves expensive tools or complex workflows that most smaller organizations don’t have.
Google, however, provides extensive advice for administrators on managing Chrome updates.
This article originally appeared on CSOonline.
Read the full article here
