Google has released security updates for its Google Chrome browser to address a high-severity vulnerability that has been actively exploited in zero-day attacks. The flaw, tracked as CVE-2026-2441, is the first Chrome zero-day patched since the beginning of the year.
The flaw is a use-after-free issue caused by a use-after-free error within the CSS component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Google said it is aware that “an exploit for CVE-2026-2441 exists in the wild.” However, the company did not disclose details about the attacks or who may be behind them.
Google said access to detailed bug information will remain restricted until most users have updated their browsers. The company also noted that restrictions may continue if the flaw affects third-party libraries that other projects depend on and have yet to patch.
Users can manually check for updates or allow Chrome to automatically install the fix upon the next browser restart.
Last week, Apple released security updates to address a zero-day vulnerability that the company says was exploited in an “extremely sophisticated attack.” The flaw, tracked as CVE-2026-20700, is an arbitrary code execution issue in dyld, the Dynamic Link Editor used across Apple operating systems including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. An attacker with memory write capabilities could exploit the vulnerability to execute malicious code on affected devices. Apple said it is aware of reports that the vulnerability was used in targeted attacks on versions of iOS prior to iOS 26. The company also noted that two previously disclosed flaws, CVE-2025-14174 and CVE-2025-43529, which were patched in December, were exploited in the same incidents.