Google's early-2026 Chrome security cycle drew attention with CVE-2026-2441, a high-severity use-after-free vulnerability in CSS. The U.S. National Vulnerability Database describes the flaw as affecting Google Chrome before version 145.0.7632.75 and says it could allow a remote attacker to execute arbitrary code inside a sandbox through a crafted HTML page.
Security coverage at the time emphasized that an exploit existed in the wild. That made the update more urgent than an ordinary patch, because attackers were not merely studying the vulnerability after disclosure; exploitation had already been observed or reported.
The fixed desktop versions included Chrome 145.0.7632.75/76 for Windows and macOS and Chrome 144.0.7559.75 for Linux, according to reporting that referenced Google's advisory. The bug was also added to CISA's Known Exploited Vulnerabilities catalog, which is significant because that catalog is used by U.S. federal agencies and many security teams to prioritize urgent remediation.
Use-after-free vulnerabilities remain a common and dangerous browser bug class. They occur when software continues to reference memory after it has been freed, potentially allowing attackers to manipulate memory and influence program execution. In a browser context, the path to exploitation may begin with a user visiting a malicious webpage.
The practical lesson is straightforward: do not postpone browser restarts after updates. Chrome can download an update silently, but the browser is not fully protected until the new version is running.
CVE-2026-2441 was not just another item in a long list of patch notes. It was a live-risk reminder that attackers continue to focus on browsers and that prompt updating is one of the most effective defenses.