 |
| Google Chrome is at the center of a critical security rollout following the discovery of CVE-2026-2441, an "in-the-wild" exploit affecting the Chromium CSS component |
If you use Google Chrome, Opera, or Vivaldi, it is time to stop what you are doing and check for updates. Google has confirmed that a newly patched vulnerability—already being actively exploited by hackers—poses a significant risk to desktop users.
Google’s latest Chrome Desktop Stable update is still rolling out this week, and it’s one that users may want to prioritize. In its February 13 release note, Google said it is aware of an exploit “in the wild” for CVE-2026-2441, a High-severity use-after-free bug in the browser’s CSS engine.
This isn't just a theoretical risk. Security researchers have detected that malicious actors are already leveraging this flaw to compromise systems, making it critical for users to update their browsers immediately.
The Ripple Effect: Why Opera and Vivaldi Users Are Also at Risk
Since Chrome’s core engine (Chromium) is shared across many browsers, the same CVE also appears in downstream updates. This means that the vulnerability isn't exclusive to Chrome; any browser built on the same architecture inherits the flaw until patched.
Opera’s Stable update on February 14 lists CVE-2026-2441 as a security fix, and Vivaldi’s latest 7.8 minor update also flags the same vulnerability, explicitly noting a known exploit in the wild. If you are using a Chromium-based browser, you must assume you are vulnerable until you verify your update status.
What CVE-2026-2441 is and what’s confirmed so far
To understand the severity of this update, we have to look at the mechanics of the bug. NIST’s National Vulnerability Database (NVD) describes CVE-2026-2441 as a use-after-free issue in Chrome’s CSS handling that could allow a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page.
In simple terms, "use-after-free" is a type of memory corruption error. It occurs when a program continues to use a pointer after the memory it points to has been freed. By tricking the user into visiting a specifically crafted website, an attacker can exploit this error to bypass security measures and run malicious code on the victim's machine. While the attack occurs within the browser sandbox (which limits what the code can do), combining this with a second bug could potentially allow a hacker to take complete control of a computer.
Google’s Chrome Releases post credits Shaheen Fazim with reporting the issue on February 11, 2026, and notes that access to bug details may remain restricted until most users are updated—standard practice for actively exploited bugs. This secrecy is a double-edged sword: it prevents hackers from learning the exact mechanics of the fix too soon, but it also leaves users in the dark about the specific attack vectors being used in the wild.
Versions that include the fix
Knowing the version numbers is half the battle. Here is the breakdown of which versions contain the patch:
- Google Chrome: Google says Chrome Desktop Stable has been updated to 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux, with the rollout happening over “the coming days/weeks.”
- Opera: Opera’s Stable channel update dated February 14, 2026, lists CVE-2026-2441 in its security highlights for Opera version 127.0.5778.64.
- Vivaldi: Vivaldi’s “Minor update (2) for Vivaldi Desktop Browser 7.8” says it updated to Chromium 144 ESR (144.0.7559.175) and that this build includes the fix for CVE-2026-2441, also noting a known exploit in the wild.
What to do if you haven’t received it yet
One of the biggest points of confusion with browser updates is the staggered rollout. Google often pushes updates slowly to monitor for stability issues. Just because the update was released on the 13th doesn't mean your computer has automatically grabbed it yet.
If you’re on Chrome, the fastest way to verify your status is to open the “About” page and confirm you’re on the patched build (then relaunch when prompted). Because Google’s rollout can be staged, two systems checked on the same day can still be on different point releases until the update wave completes.
For Opera and Vivaldi, the safest approach is the same: check the browser’s built-in update/About section and make sure you’re on the versions listed above (or newer), then restart the browser to ensure the patched code is actually loaded.
Delaying this update by even a few days increases the window of opportunity for attackers. Because the exploit is known to be active, threat actors will likely ramp up phishing campaigns designed to direct users to sites hosting the malicious code.
Source(s)
For those who like to dig into the technical details or verify the findings directly, here are the official announcements regarding the patch: