Google has issued an urgent security update for its Chrome browser to address a high-severity vulnerability that has already been exploited in real-world attacks, marking the first confirmed zero-day flaw patched by the company in 2026.

The vulnerability, tracked as CVE-2026-2441, with a CVSS 8.8 was identified as a use-after-free memory issue within Chrome’s handling of advanced font rendering features. According to Google, evidence suggests attackers were actively exploiting the flaw before a fix was made available, prompting a rapid response and accelerated patch rollout.


Critical flaw discovered in Chrome’s font system

In a security advisory, Google confirmed it was aware of “an exploit… in the wild,” a designation reserved for vulnerabilities already being used by attackers rather than theoretical threats.

The bug was discovered by security researcher Shaheen Fazim and affects a component known as CSSFontFeatureValuesMap, part of Chrome’s implementation of modern web font features. This system allows developers to control how fonts behave and render on
webpages.

At its core, the issue stems from an iterator invalidation bug, a type of programming error that can lead to memory being accessed after it has already been freed. Such flaws—commonly referred to as use-after-free vulnerabilities—are particularly dangerous because they can enable attackers to manipulate memory in unpredictable ways.