Chrome Zero-Day CVE-2026-2441: CSS Use-After-Free Actively Exploited

On February 12, 2026, Google shipped an emergency Chrome patch following the discovery of a use-after-free zero-day in the Blink CSS engine. This vulnerability, tracked as CVE-2026-2441, was already being actively exploited in the wild before it was publicly disclosed. With a CVSS score of 8.8 (High), it affects hundreds of millions of Chrome users worldwide.

This article breaks down the technical details of the flaw, what it means for users, and the mitigation measures you should put in place right away.

What is a CSS use-after-free?

A use-after-free (UAF) is one of the major vulnerability classes in memory-unsafe languages such as C++. Blink, Chrome's rendering engine, is written in C++ and manages memory manually for performance reasons. A use-after-free flaw occurs when:

1. An object is allocated in memory.
2. That object is freed (deallocated).
3. The code tries to access the object after it has been freed, without any check.

Instead of the program crashing cleanly, accessing the freed memory can read or modify arbitrary data depending on what occupies that memory at the time. That is the essence of the bug: you are using memory that no longer logically exists.

In the case of CVE-2026-2441, the flaw lives in Blink's CSS Layout Engine, specifically in the handling of the position: fixed and backdrop-filter properties when combined. When a CSS element uses both properties simultaneously and the browser re-renders the page after a DOM mutation, a pointer is not properly invalidated, creating a UAF.

Exploitation vector

To exploit this flaw, an attacker must:

1. Control the HTML/CSS content served by a website (via XSS injection, direct site compromise, or malicious ads).
2. Craft a CSS element specifically designed to trigger the flaw:

   <div style="position: fixed; backdrop-filter: blur(10px);"></div>

3. Mutate the DOM dynamically via JavaScript to force a re-layout that exposes the use-after-free.
4. Read or write memory from the UAF primitive in order to: - Leak the address of JavaScript objects (ASLR bypass) - Write malicious code into memory (RCE) - Access sensitive data inside the Chrome process

The publicly disclosed proofs of concept (PoC) show that the flaw can be chained with other vulnerabilities to achieve arbitrary code execution in the context of Chrome's renderer process, potentially escaping the browser sandbox through a privilege escalation.

Real-world impact

Affected sites include:

• Any site without a strict Content Security Policy (vulnerable to CSS injection).
• User-generated content platforms (forums, comments, blogs) if XSS filtering is incomplete.
• Webmail and SaaS services that consume external content (Gmail, Slack, Notion, etc.) if a malicious attachment or link could force the browser to load malicious CSS.
• Programmatic advertising: an attacker injecting malicious CSS through an ad network can reach millions of users at once.

Google confirms that this flaw was discovered in the wild, meaning attackers are actively exploiting it. While no large-scale campaign has been publicly documented, Chrome's security teams assume opportunistic exploitation against high-value targets (governments, financial institutions, journalists).

Affected versions

• Chrome 123.0.6312.0 and earlier
• Chrome OS 123.0.6312.0 and earlier
• Edge 123.0.2420.0 and earlier (Chromium-based)
• Brave, Opera, and all Chromium-based browsers prior to the fixed version
• Android Chrome 123 and earlier

Note: Firefox and Safari are not affected, since they use different rendering engines (SpiderMonkey and WebKit respectively), even though they have historically had their own vulnerabilities of this kind.

Disclosure timeline

• February 9, 2026: A security researcher discovers the UAF in Chromium's open source code.
• February 10, 2026: Report sent to Google through the Google Bug Bounty Program.
• February 11, 2026: Google confirms the critical severity and opens a severe incident.
• February 12, 2026: Chrome 124.0.6367.60 released as an emergency build with the patch.
• February 13, 2026: CISA adds CVE-2026-2441 to its list of actively exploited vulnerabilities (KEV Catalog).

Technical analysis of the patch

The fix implements several measures:

1. Strict pointer validation: before accessing a CSS Layout object, the code now verifies that the pointer was not invalidated during a previous DOM mutation.
2. Cache invalidation: backdrop-filter caches are explicitly invalidated on DOM changes affecting position: fixed.
3. Atomic cleanup sequence: memory-freeing operations are now atomic to avoid race conditions.
4. Hardened AddressSanitizer: compile-time instrumentation to catch UAFs early during development.

// Before (vulnerable)
void LayoutEngine::UpdateBackdropFilter() {
  auto filter = cache_[element_id];  // potentially invalid pointer
  filter->Apply();  // UAF !!!
}

// After (patched)
void LayoutEngine::UpdateBackdropFilter() {
  if (IsCacheValid(element_id)) {
    auto filter = cache_[element_id];
    filter->Apply();
  }
}

Immediate mitigation measures

For individual users

• Update Chrome right now to version 124.0.6367.60 or later. The update happens automatically, but force it by going to chrome://settings/help.
• Restart Chrome completely (close all tabs, relaunch the browser).
• Consider Firefox or Safari as temporary alternative browsers if you are waiting for broader patch rollout.
• Avoid sites of questionable trust or links from unverified sources until you confirm the patch is widely deployed.

For network and IT administrators

• Force Chrome/Edge updates via GPO (Windows) or MDM (macOS, Android) immediately. This CVE justifies an out-of-band emergency update.
• Block versions earlier than 124.0.6367.60 where possible (via WAF proxy, MDM policies).
• Audit internal sites that use custom CSS to detect dangerous patterns (backdrop-filter + position: fixed).
• Harden Content Security Policy across all web applications:

  Content-Security-Policy:
        default-src 'self';
        style-src 'self' 'unsafe-inline';
        script-src 'self';

• Monitor anomaly logs (renderer crashes, unexpected behavior) over the following 2 weeks.

For web developers

• Audit your CSS for position: fixed + backdrop-filter combinations that could trigger the flaw. Replace them with alternatives:

  /* Instead of backdrop-filter on fixed */
  .overlay {
    position: absolute;
    background: rgba(0, 0, 0, 0.5);
    backdrop-filter: none;
    /* Use filter on a non-fixed parent */
  }

• Implement a strict CSP to block malicious CSS injection.
• Sanitize all user-generated content with a library such as DOMPurify for JavaScript/HTML/CSS.
• Test your site with Chrome DevTools enabled, which detects use-after-free issues in Debug mode.

Required security deliverables

Security teams should produce:

1. An inventory of Chrome versions in production (via EDR, application logs).
2. A patch plan with stage-by-stage deadlines (Dev → Test → UAT → Production).
3. CSS vulnerability scanning across all internal sites and web apps.
4. A communication matrix to inform internal users of the required patch.
5. A rollback plan in case of problems with the new version.

Comparison with past historic UAFs

This flaw echoes several critical UAFs in Blink:

• CVE-2023-4863 (libvpx VP8 UAF): affected millions of users before it was patched.
• CVE-2024-11123 (WebSQL UAF): another CSS/DOM UAF tied to memory serialization.

The common pattern: asynchronous DOM mutations that invalidate pointers without sufficient checks. Google is progressively reinforcing type safety in C++ to reduce these bug classes, but the work is far from finished.

Long-term outlook

Over the longer term, the industry is exploring:

• Memory-safe languages: the gradual rewrite of Blink in Rust or other "memory-safe" languages to eliminate UAFs by design.
• Continuous fuzzing: improving fuzzing campaigns to detect UAFs before they reach production.
• Compartmentalization: stricter isolation of contexts (origin, permission) to limit the impact of a successful exploit.

Google has announced that 30% of Blink's critical code will be in Rust by the end of 2027, reducing the attack surface for UAFs.

Follow-up resources

• CVE-2026-2441 MITRE
• Chrome Security Releases Blog
• CISA Alerts (KEV Catalog)
• Chromium Bug Tracker

Remediation checklist

Conclusion

CVE-2026-2441 is a crucial reminder that even massively funded and well-staffed projects like Chrome remain subject to fundamental memory-unsafe bugs. The fact that this flaw was actively exploited before its public disclosure underscores how important it is to update immediately.

Fortunately, the fix was delivered quickly and broadly. The majority of users will receive the patch automatically. For organizations with managed environments, distribution should be treated as the top priority this week.

While we wait for the long-term migration to memory-safe languages, strengthen your defense in depth: strict CSPs, anomaly monitoring, and regular CSS audits.