CVE-2026-2441

HighCISA KEVActive ExploitationPublic PoC

Published: 13 February 2026

Published

13 February 2026

Modified

23 February 2026

KEV Added

17 February 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0946 92.9th percentile

Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and remediation of known software flaws like this Chrome use-after-free vulnerability through patching to version 145.0.7632.75 or later.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2026-2441, enabling proactive remediation.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and DEP that mitigate exploitation of use-after-free vulnerabilities in browser CSS components.

Security SummaryAI

CVE-2026-2441 is a use-after-free vulnerability (CWE-416) in the CSS component of Google Chrome prior to version 145.0.7632.75. Published on 2026-02-13, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and Chromium security severity of High.

A remote attacker can exploit this vulnerability by crafting an HTML page that triggers the use-after-free, enabling arbitrary code execution inside the browser's sandbox. Exploitation requires user interaction, such as visiting a malicious site, but needs no privileges or special access.

Mitigation involves updating to Google Chrome 145.0.7632.75 or later, as announced in the stable channel update on the Chrome Releases blog (chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html). Additional details are in the Chromium issue tracker (issues.chromium.org/issues/483569511), and a proof-of-concept is publicly available on GitHub (github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html).

The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441), signaling real-world exploitation.

Details

CWE(s): CWE-416
KEV Date Added: 17 February 2026

Affected Products

google

chrome

≤ 145.0.7632.75 · ≤ 145.0.7632.76

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a use-after-free in Chrome's CSS component exploited via a malicious webpage, enabling drive-by compromise (T1189) and exploitation for client execution (T1203) with user interaction by visiting the site.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/483569511
Issue Tracking, Permissions Required · chrome-cve-admin@google.com
https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-2441
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0