Google Patches First Chrome Zero-Day Exploit of 2024 After Real-World Attacks

Post Views: 16

Google Releases Emergency Update to Patch High-Severity Chrome Vulnerability

Google has released an emergency update to address a high-severity vulnerability in Chrome, marking the first zero-day exploit patched by the company this year.

Vulnerability Details

The vulnerability, identified as CVE-2026-2441, is a use-after-free flaw in Chrome’s implementation of CSS font feature values. This issue can be exploited by attackers to cause browser crashes, rendering problems, data corruption, or other undefined behavior.

According to Google, an exploit for this vulnerability is currently being used in the wild. However, the company has not provided further details about the attacks, citing the need to restrict access to bug details and links until a majority of users have been updated with a fix.

Cause and Fix

The vulnerability is caused by an iterator invalidation bug in CSSFontFeatureValuesMap, which is part of Chrome’s CSS font feature values implementation. A security researcher, Shaheen Fazim, reported the issue, and Google has since patched it in the Stable Desktop channel.

The fix has been rolled out to users on Windows, macOS, and Linux, with new versions available as 145.0.7632.75/76 and 144.0.7559.75, respectively.

Zero-Day Vulnerabilities

While this is the first actively exploited Chrome vulnerability patched this year, Google addressed a total of eight zero-days exploited in the wild last year. Many of these vulnerabilities were reported by the company’s Threat Analysis Group (TAG), which tracks and identifies zero-days used in spyware attacks targeting high-risk individuals.

Recommendations

Google has advised users to update their Chrome browsers to the latest version to protect against this vulnerability. Users can also enable automatic updates to ensure they receive the latest security patches as soon as they are available.

The patch for this vulnerability has been tagged as “cherry-picked” or backported across multiple commits, indicating that it was considered important enough to include in a stable release rather than waiting for the next major version. However, the commit message notes that there may be “remaining work” to address related issues, tracked in bug 483936078.

Risk and Mitigation

In general, zero-day vulnerabilities pose a significant risk to users, as they can be exploited by attackers before a patch is available. In this case, Google’s swift response in patching the vulnerability has helped to mitigate the risk, but users should remain vigilant and ensure their browsers are updated to the latest version.