Microsoft, Google, Vivaldi, Brave and Opera: Google fixes first actively exploited Chrome zero-day of 2026

Google Patches Actively Exploited Chrome Zero-Day (CVE-2026-2441)

On February 16, 2026, Google released an emergency security update to address CVE-2026-2441, a high-severity zero-day vulnerability in Chrome actively exploited in the wild. The flaw, classified as a use-after-free bug in the browser’s CSS component, allows remote attackers to execute arbitrary code within a sandbox via a maliciously crafted HTML page.

The vulnerability was discovered and reported by security researcher Shaheen Fazim on February 11, 2026. While Google confirmed the existence of an exploit, details about the threat actor or attack methods remain undisclosed.

This marks the first actively exploited Chrome zero-day of 2026, following eight similar vulnerabilities patched in 2025. The update (Chrome 145.0.7632.75/76 for Windows and Mac, 144.0.7559.75 for Linux) is rolling out globally over the coming days. Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are advised to apply updates as they become available.

The flaw’s severity underscores the ongoing risk of browser-based attacks, particularly those leveraging memory corruption vulnerabilities. No additional technical or attribution details have been released.

Source: https://securityaffairs.com/188029/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2026.html

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center

Google TPRM report: https://www.rankiteo.com/company/google

Vivaldi TPRM report: https://www.rankiteo.com/company/vivaldi-technologies

Brave TPRM report: https://www.rankiteo.com/company/brave-software

Opera TPRM report: https://www.rankiteo.com/company/operation-usa

"id": "opegoomicvivbra1771252591",
"linkid": "operation-usa, google, microsoft-security-response-center, vivaldi-technologies, brave-software",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'customers_affected': 'All Chrome users',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Google Chrome',
                        'type': 'Software'},
                       {'customers_affected': 'All Edge users',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft Edge',
                        'type': 'Software'},
                       {'customers_affected': 'All Brave users',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Brave',
                        'type': 'Software'},
                       {'customers_affected': 'All Opera users',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Opera',
                        'type': 'Software'},
                       {'customers_affected': 'All Vivaldi users',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Vivaldi',
                        'type': 'Software'}],
 'attack_vector': 'Remote',
 'customer_advisories': 'Users advised to update Chrome and Chromium-based '
                        'browsers immediately.',
 'date_detected': '2026-02-11',
 'date_publicly_disclosed': '2026-02-16',
 'description': 'On February 16, 2026, Google released an emergency security '
                'update to address CVE-2026-2441, a high-severity zero-day '
                'vulnerability in Chrome actively exploited in the wild. The '
                'flaw, classified as a use-after-free bug in the browser’s CSS '
                'component, allows remote attackers to execute arbitrary code '
                'within a sandbox via a maliciously crafted HTML page.',
 'impact': {'systems_affected': 'Chrome browser, Chromium-based browsers '
                                '(Microsoft Edge, Brave, Opera, Vivaldi)'},
 'investigation_status': 'Ongoing (limited details disclosed)',
 'lessons_learned': 'The flaw’s severity underscores the ongoing risk of '
                    'browser-based attacks, particularly those leveraging '
                    'memory corruption vulnerabilities.',
 'post_incident_analysis': {'corrective_actions': 'Patch deployment and update '
                                                  'rollout',
                            'root_causes': 'Use-after-free vulnerability in '
                                           'Chrome’s CSS component'},
 'recommendations': 'Users of Chromium-based browsers are advised to apply '
                    'updates as they become available.',
 'references': [{'date_accessed': '2026-02-16',
                 'source': 'Google Security Blog'}],
 'response': {'communication_strategy': 'Public disclosure of vulnerability '
                                        'and update availability',
              'containment_measures': 'Emergency security update released '
                                      '(Chrome 145.0.7632.75/76 for Windows '
                                      'and Mac, 144.0.7559.75 for Linux)',
              'remediation_measures': 'Patch deployment'},
 'title': 'Google Patches Actively Exploited Chrome Zero-Day (CVE-2026-2441)',
 'type': 'Zero-Day Vulnerability',
 'vulnerability_exploited': 'CVE-2026-2441 (use-after-free in CSS component)'}