Don’t Hack On Me — Signal February 16, 2026

The Story

Google released an emergency Chrome update on Friday to patch CVE-2026-2441 — a high-severity (CVSS 8.8) use-after-free vulnerability in Chrome’s CSS engine that’s being actively exploited in the wild. It’s the first Chrome zero-day of 2026, and Google is doing what Google always does: confirming exploitation exists while saying absolutely nothing about who’s doing it or who’s being targeted.

The vulnerability is an iterator invalidation bug in CSSFontFeatureValuesMap — Chrome’s implementation of CSS font feature values. When Chrome parses stylesheets and applies them to the DOM, certain sequences of operations cause premature memory deallocation. An attacker can reallocate that freed memory with malicious data, redirecting execution flow. The attack is delivered via a crafted HTML page, meaning phishing links or compromised websites are the likely vector. Security researcher Shaheen Fazim discovered and reported the flaw on February 11. Google patched it two days later on February 13.

Here’s the part that matters: this isn’t just a Chrome problem. Every browser built on Chromium is affected — Microsoft Edge, Brave, Opera, Vivaldi, Arc, and any other Chromium-based browser you’re running. That’s roughly 70% of global browser market share running on a single engine. One vulnerability, one codebase, and most of the internet’s browsers need a patch. Chrome’s fixed versions are 145.0.7632.75/76 for Windows and Mac, and 144.0.7559.75 for Linux. Other Chromium browsers will ship their own patches as they pull in the fix.For context, Chrome had roughly 8 actively exploited zero-days in 2025 and 7 in 2024. That’s averaging close to one per month. Browser zero-days aren’t rare events anymore — they’re a recurring line item in your patching calendar.

What Does This Mean to Me?

If you’re in security operations: Update Chrome right now. Don’t wait for the auto-update cycle — this is an actively exploited zero-day, and you don’t know where this is going to show up. Go to chrome://settings/help, force the update, and restart your browser. If you manage endpoints, push the update through MDM immediately. Don’t rely on auto-update for a zero-day.

And it’s not just Chrome. Chromium is the backbone of almost everything. Edge, Brave, Opera, Vivaldi — and it goes beyond the obvious ones. Perplexity’s Comet browser runs on Chromium. Arc runs on Chromium. If it’s a browser and it’s not Firefox or Safari, it’s probably Chromium. Every one of those needs to be updated once their vendor ships the fix. Make sure you know which Chromium-based browsers are running in your environment, because your users might be on browsers your asset inventory doesn’t even track.

Everyone should have automatic browser updates enabled — that’s table stakes. But for an actively exploited zero-day, automatic isn’t fast enough. Manual update. Now.

If you’re in leadership: The Chromium monoculture is something worth thinking about. One vulnerability in one codebase just put ~70% of the world’s browsers at risk. Google patches fast — two days from report to fix is impressive — and Chrome’s sandbox architecture limits the blast radius of any single exploit. That’s the upside. The downside is that when the Chromium engine has a flaw, the attack surface is enormous.

This isn’t a “switch browsers” argument. The security benefits of Chromium’s architecture and update cadence are real. But it is an argument for making sure your browser patching is as tight as your OS patching. Browser zero-days are averaging one per month across 2024 and 2025. That’s not a spike — it’s the baseline. If your patching program doesn’t treat browser updates with the same urgency as OS patches, it’s time to fix that.

The bigger picture: We’ve normalized browser zero-days. Chrome had 7 in 2024, 8 in 2025, and the first one of 2026 just dropped. Google’s response is always the same — confirm exploitation, withhold details, ship a patch. The 2-day turnaround is genuinely good. But the cadence tells you something: browsers are one of the most valuable attack surfaces on the internet, and threat actors are investing heavily in finding and exploiting browser vulnerabilities. The best defense is the simplest one: keep your browser updated, and when a zero-day drops, don’t wait. Update now.

Stay alert. Don’t let them hack on you.Subscribe to Don’t Hack On Me | donthackonme.com

This post was researched, drafted, and edited with AI assistance. The analysis and perspective are Marcus’s. See something wrong? Leave a comment.