
Google Chrome Emergency Update: Act Fast on 2026 Zero-Day
If you opened Chrome this week and saw an unexpected “update available” prompt, that gut feeling was right. Google pushed an emergency patch on February 13, 2026, after confirming that an actively exploited zero-day vulnerability was being weaponized against real users.
CVE ID: CVE-2026-2441 · Latest Version: 145.0.7632.159/160 · Exploit Status: Actively exploited · Patch Date: February 2026 · Zero-Days in 2026: Fourth
Quick snapshot
- CVE-2026-2441 zero-day (Chrome Releases Blog)
- Webpage code execution via CSS flaw (NIST NVD)
- Fourth in 2026 (Malwarebytes)
- Version 145.0.7632.159 (Windows/Mac) (Lansweeper)
- Windows/Mac/Linux affected (Chrome Releases Blog)
- Immediate rollout to Stable channel (Penligent)
- Help > About Chrome (Malwarebytes)
- Relaunch required after install (SOCPrime)
- Android via Play Store, iOS via App Store (NotebookCheck)
- All users before version 145.0.7632.159 (Lansweeper)
- Chromium browsers (Edge, Brave, Opera) (Orca Security)
- Cloud workloads and CI/CD pipelines (Orca Security)
Three things stand out in this patch cycle: CVE-2026-2441 marks the first Chrome zero-day of 2026, Google confirmed the exploit was circulating in active attacks, and the vulnerability was added to CISA’s catalog with a March 10 deadline for federal agencies.
The table below consolidates the critical technical specifications that security teams and end users need to verify their current patch status.
| Detail | Value |
|---|---|
| Affected Versions | Prior to 145.0.7632.159 |
| Patch Channels | Stable for Win/Mac/Linux |
| Exploit Type | High-severity zero-day |
| First Reported | February 11, 2026 |
| CVSS Score | 8.8 (High) |
| Reporter | Shaheen Fazim |
Why did Google release an emergency Chrome security update?
The emergency patch addresses CVE-2026-2441, a use-after-free vulnerability in Chrome’s CSS rendering component. A use-after-free flaw occurs when a program attempts to use memory after it has been freed, allowing an attacker to corrupt memory and potentially execute arbitrary code. Google released the fix on February 13, 2026, via the Stable channel for Windows, Mac, and Linux. Security researcher Shaheen Fazim reported the vulnerability on February 11, 2026, and Google confirmed the same day that an exploit existed in the wild — meaning attackers were already using it before the patch was publicly available. CISA added CVE-2026-2441 to its Known Exploited Vulnerabilities catalog on February 17, 2026, citing active exploitation, and gave federal agencies until March 10, 2026, to apply mitigations.
Details on CVE-2026-2441
- Type: Use-after-free in CSS component (CWE-416)
- CVSS v3.1 base score: 8.8 (High)
- Fixed versions: 145.0.7632.75/76 (Windows/Mac), 144.0.7559.75 (Linux)
- Attack vector: Crafted HTML page loaded in Chrome
- Google used AddressSanitizer to detect the flaw during internal testing
The vulnerability allows a malicious webpage to achieve arbitrary code execution within Chrome’s sandbox, which is a significant step toward full system compromise if combined with additional exploits. According to SOCPrime, the practical risk includes malware delivery and credential theft. Chrome’s sandbox normally confines browser processes, but CVE-2026-2441 can serve as an entry point for more sophisticated attack chains. A follow-up update on February 18, 2026, bumped the version to 145.0.7632.109/110 to address any issues with the initial patch.
Exploits in the wild
Google’s official Chrome Releases Blog explicitly states the company is aware that an exploit for CVE-2026-2441 exists in the wild. The NVD (National Vulnerability Database) classifies the severity as High and confirms that publicly available exploit code has increased the practical risk. Menlo Security notes this was part of a compressed 72-hour double-patch cycle, where Google released a follow-up update within days of the initial fix — a signal that the first patch either didn’t fully resolve the issue or that exploitation was accelerating. According to Orca Security, the vulnerability also affects headless cloud workloads and CI/CD pipelines running Chromium-based browsers in automated environments, where automatic updates may be disabled or delayed.
Fourth zero-day of 2026
CVE-2026-2441 holds what Malwarebytes calls “the questionable honor of being the first Chrome zero-day of 2026.” Zero-day vulnerabilities are particularly dangerous because by definition, there is zero days between when the vulnerability becomes known and when an exploit appears. This means organizations and users had no window to apply preventive patches before attacks began. The pattern of frequent Chrome zero-days in 2026 suggests sustained interest from threat actors in targeting browser infrastructure, especially as more critical workflows shift to web-based applications.
Google’s own Chrome Releases Blog confirmed active exploitation of CVE-2026-2441 — that’s vendor-level admission, not speculation. For Chrome’s billions of users, this isn’t a theoretical future risk. Patch now.
Is the Google Chrome warning real?
Yes. If Chrome is surfacing an update prompt this week, it is tied to a real, confirmed security emergency. The warning is not a marketing nudge or a background refresh — it reflects Google’s official advisory about an actively exploited vulnerability. Users on Windows, macOS, and Linux running versions prior to 145.0.7632.75/76 should treat the prompt as mandatory, not optional. On mobile, the same urgency applies: Android users need version 145.0.7632.109 or later via Google Play, and iOS users need 145.0.7632.108 or later via the App Store. Both mobile updates were confirmed by NotebookCheck as rolling out shortly after the desktop patch.
Signs of legitimate warnings
Legitimate Chrome security warnings typically appear as update prompts in the browser’s menu bar or when you navigate to Settings > Help > About Google Chrome. Chrome also surfaces warnings when you attempt to visit a site that Google’s Safe Browsing API has flagged as dangerous. A real emergency update notification, however, does not link to an external site — it triggers an in-browser prompt that directs you to the built-in update mechanism. If you see a pop-up on a webpage claiming to be a “Chrome security alert” and asking you to download something, that is almost certainly a phishing attempt. Malwarebytes has documented cases where attackers impersonate browser warnings to distribute fake security tools.
Unsafe site alerts vs. malware
Chrome’s Safe Browsing feature flags sites known to host malware or phishing content, displaying a red warning screen before the page loads. These warnings are genuine and handled entirely within the browser. However, CVE-2026-2441 is different — the exploit does not require you to visit a flagged site. An attacker can craft a seemingly innocent webpage containing malicious CSS that triggers the use-after-free condition the moment Chrome renders it. You do not need to click anything or download a file. Opening the page is sufficient, which is why the emergency patch matters even for careful users who avoid suspicious sites.
Verify via official channels
To confirm whether your current version is vulnerable, open Chrome and navigate to Settings > Help > About Google Chrome. The version number is displayed at the top of the page, and Chrome will automatically check for updates when you open this section. If an update is available, a button will appear prompting you to relaunch the browser. You can also cross-reference your version against Google’s official release blog, which lists all stable channel versions and their associated security fixes. The Chrome Releases Blog is the authoritative source for all version announcements and security patch details.
Staged rollouts mean some users may not see the update prompt immediately. If your Chrome is not prompting an update yet, manually check via Help > About Google Chrome. Delays in staged rollouts can leave users exposed for days.
Why is Chrome asking me to update?
Chrome is asking you to update because Google’s security team identified a critical flaw and pushed an emergency patch to the Stable channel. The browser’s update mechanism works on a staged rollout schedule — new versions are released to a percentage of users first, then expanded to the full user base over days or weeks. However, when a vulnerability is being actively exploited, Google can accelerate this rollout or push an immediate update to all users. CVE-2026-2441 triggered exactly this scenario, which is why many users saw the update prompt appear suddenly rather than as part of Chrome’s normal quiet update cycle. The sudden appearance of an update prompt, especially outside of Chrome’s typical 2-4 week release cadence, is a reliable indicator that a serious security issue is involved.
Auto-update prompts
Chrome checks for updates every time it launches and periodically while running. When a new version is available and your installation is eligible, Chrome downloads it in the background and prompts you to relaunch the browser to complete the installation. The relaunch step is not optional — the patch only takes effect after you close and reopen Chrome. This is why the update prompt displays a prominent “Relaunch” button rather than just a notification. For enterprise environments using Chrome policies, updates may be managed via Group Policy or MDM, but individual users should treat the in-browser prompt as the definitive signal that a patch is available.
Emergency patch notifications
Emergency patches differ from regular updates in that they address vulnerabilities already being exploited in the wild. Google does not always issue separate public announcements for routine security updates, but CVE-2026-2441 warranted a dedicated blog post on the Chrome Releases Blog and inclusion in CISA’s catalog. This dual-track communication — an in-browser update prompt plus an official public advisory — is reserved for the most severe cases. According to SOCPrime, the emergency patch requires a browser restart to apply, and any user who delays relaunching remains vulnerable. The patch itself is applied silently when Chrome closes, but the new version only takes effect after a full relaunch.
Relaunch requirements
After installing the update, Chrome will not fully apply the security fix until you relaunch the browser. This means closing all Chrome windows and tabs and reopening Chrome normally. On desktop, you can either click the “Relaunch” button in the update prompt or manually close and reopen the browser. On mobile, the update applies automatically when you open Chrome after the app store delivers the new version. If you use Chrome across multiple devices, each device needs to be updated and relaunched separately. The key takeaway: seeing the update prompt is only the first step. You must actively relaunch Chrome for the patch to take effect.
How can I force Google Chrome to update?
If Chrome is not prompting you to update, you can force the check manually. The process takes less than two minutes and ensures you are running the latest patched version rather than waiting on Chrome’s staggered rollout. For most desktop users, the Help > About path is the fastest route. For Android users, the Google Play Store handles delivery. If the update fails to install, there are troubleshooting steps available for both platforms.
Steps on computer
- Open Chrome and click the three-dot menu in the top-right corner.
- Select Help from the dropdown, then click About Google Chrome.
- Chrome immediately checks for updates and displays your current version.
- If an update is available, click Relaunch Chrome to apply it.
- After the browser restarts, verify the version number under the same path to confirm installation.
On Windows, macOS, and Linux, the Help > About path works identically. Chrome downloads the update in the background and you will see a “Update available” message before clicking relaunch. If you do not see any update option and your version is current, you may already be on the patched version.
Android update process
- Open the Google Play Store app on your Android device.
- Search for Google Chrome or navigate to your installed apps.
- Tap Update if the button is present. If only Open appears, Chrome is already current.
- After the update installs, open Chrome and verify the version under Settings > Help > About Chrome.
Android Chrome 145.0.7632.109 was the patched version confirmed by NotebookCheck for mobile users. Automatic updates via Google Play will deliver the patch within 24-48 hours for most users, but you can force an immediate check through the Play Store app listing. If your device does not support the latest version due to OS limitations, consider using Chrome’s Lite mode or an alternative browser while waiting for a compatible patch.
Troubleshoot failures
If Chrome update fails to download, try clearing the Google Play Services cache (Android) or reinstalling Chrome (desktop). On desktop, navigate to Settings > Advanced > Reset and clean up > Reset and clean up Chrome, which reinstalls the browser without losing your bookmarks or saved passwords. For enterprise users with managed devices, contact your IT administrator — group policy settings may be blocking automatic updates. On Linux, if the apt package manager is used, run sudo apt update && sudo apt upgrade google-chrome-stable to fetch the latest package.
If your Chrome update appears to install but the version number doesn’t change after relaunch, a background process may be blocking the update. Check Task Manager (Windows) or Activity Monitor (Mac) for running Chrome processes and end them all before relaunching again.
What happens if I don’t update my browser?
If you do not update Chrome, you remain exposed to a confirmed active exploit. CVE-2026-2441 allows a crafted webpage to execute arbitrary code on your machine through the Chrome renderer process. While Chrome’s sandbox limits direct system access, successful exploitation paired with a sandbox escape vulnerability could give attackers full control over your device. According to SOCPrime, the practical risks include malware installation, credential theft, and session hijacking. For enterprise users, a compromised browser can serve as a pivot point for accessing internal networks or corporate data. The bottom line: delaying this update is not a neutral choice. Every hour without the patch is an active window for attack.
Risks of zero-day exploits
A zero-day exploit has no warning and no available patch at the time it is discovered. CVE-2026-2441 was actively exploited for at least two days before Google’s patch arrived on February 13, 2026 — meaning anyone who visited a malicious page during that window may have been compromised without knowing it. The vulnerability requires no user interaction beyond visiting a page. Attackers can host malicious CSS payloads on compromised websites, ad networks, or spear-phishing pages to harvest data or deploy secondary payloads. CISA’s inclusion of CVE-2026-2441 in the Known Exploited Vulnerabilities catalog reflects the seriousness: federal agencies are required to patch within 21 days of catalog addition (by March 10, 2026), and CISA strongly advises all organizations and individuals to treat this timeline as a minimum standard.
Malware infection paths
Once CVE-2026-2441 is successfully exploited, the attacker gains code execution within Chrome’s renderer process. From there, the attacker can read browser cookies, intercept form data, capture keystrokes, and access stored credentials for any site visited in the browser. According to Lansweeper, the exploit can also cause browser crashes, rendering issues, and data corruption in affected sessions. In targeted attacks observed by Orca Security, threat actors have used browser-based footholds to establish persistence and move laterally within networks. For consumers, the most immediate risk is credential theft — attackers frequently monetize browser access by exporting saved passwords and session tokens from sites like banking portals, email providers, and corporate intranets.
Long-term security gaps
Running an outdated version of Chrome creates compounding risk over time. Each new zero-day widens the attack surface because older versions lack patches for multiple vulnerabilities simultaneously. An attacker who compromises a browser running version 144 may use that access to install a persistent backdoor that survives the eventual update — which is why a full malware scan is recommended after updating following any period of known exposure. Chrome’s built-in Safe Browsing protection does not fully mitigate zero-day exploits because zero-days by definition are unknown until the patch arrives. Relying on heuristics or partial mitigations is not a substitute for applying the actual patch. For power users, disabling JavaScript globally is the only workaround that fully blocks the exploit path, but this breaks most modern websites and is not practical for daily use.
How do I update Chrome on Android and iOS?
Mobile Chrome users are not exempt from this emergency patch. Android Chrome 145.0.7632.109 and iOS Chrome 145.0.7632.108 contain the fix, and both platforms receive updates through their respective app stores. The process differs from desktop: mobile users do not manually trigger updates through the browser interface but instead rely on Google Play (Android) or the App Store (iOS) to deliver the patched version. Automatic updates will roll out over 24-48 hours by default, but you can check manually to accelerate the process.
Android steps
- Open Google Play Store.
- Tap your profile icon (top right) and select Manage apps and device.
- Find Google Chrome in the list of installed apps.
- Tap Update if the option is available. If not, the app is already current.
- Open Chrome and navigate to Settings > About Chrome to confirm version 145.0.7632.109 or later.
iOS steps
- Open the App Store and tap your profile icon.
- Scroll to Available Updates and check for Chrome in the list.
- Tap Update next to Google Chrome if an update is pending.
- Verify the installed version matches 145.0.7632.108 or later via Settings > Google > About Chrome.
Timeline
The following chronology tracks the key events from initial discovery through federal compliance deadline.
| Date | Event |
|---|---|
| February 11, 2026 | Security researcher Shaheen Fazim reports CVE-2026-2441 |
| February 13, 2026 | Google releases patch in Stable channel (version 145.0.7632.75/76) |
| February 17, 2026 | CISA adds CVE-2026-2441 to Known Exploited Vulnerabilities catalog |
| February 18, 2026 | Follow-up update to 145.0.7632.109/110 released |
| March 10, 2026 | CISA federal agency mitigation deadline |
Confirmed vs. Unclear
Confirmed
- Exploits in wild per Google advisory
- Patch versions confirmed for all platforms
- CVE-2026-2441 officially assigned
- CVSS score of 8.8 confirmed
- CISA catalog entry active
Unclear
- Exact count of confirmed victims
- Full technical details withheld by Google
- Public proof-of-concept availability
- Regional distribution of attacks
What experts say
“Google is aware that an exploit for CVE-2026-2441 exists in the wild.”
— Google (Chrome Releases Blog, official vendor advisory, February 2026)
“CVE-2026-2441 has the questionable honor of being the first Chrome zero-day of 2026.”
— Malwarebytes (security firm, threat intelligence analysis, February 2026)
“This is an actively exploited browser memory corruption bug with network reach and a user interaction trigger.”
— Penligent (security researcher, technical breakdown, February 2026)
Related reading: USB to USB-C guide · Best 55 inch TVs
Google’s emergency Chrome patch fixes the exploited CVE-2026-2441 zero-day, where detailed update instructions for all platforms help users stay protected swiftly.
Frequently asked questions
How do I check my Chrome version?
Open Chrome, click the three-dot menu (top right), go to Help > About Google Chrome. The current version number is displayed at the top. Compare it against 145.0.7632.75/76 (Windows/Mac) or 144.0.7559.75 (Linux) — anything below those versions needs the patch.
What if Chrome update fails to download?
On desktop: close all Chrome windows, uninstall Chrome via system settings, then reinstall from the official download page at google.com/chrome. On Android: clear Google Play Services cache via Settings > Apps > Google Play Services > Storage > Clear cache, then retry the update. If the issue persists, your device may be blocked by a managed policy — contact your IT administrator.
Does the emergency update fix malware already installed?
The patch closes the vulnerability that allowed the initial infection, but it does not remove malware that was already installed before the update. If you believe you visited a suspicious page between February 11-13, 2026, run a full scan with Malwarebytes or your preferred security tool after updating Chrome. Also change passwords for critical accounts accessed during that window.
How to reset Chrome if compromised?
Go to Settings > Advanced > Reset and clean up > Reset settings to original defaults. This removes extensions, resets startup pages, and clears cache but preserves bookmarks and saved passwords. After resetting, immediately change passwords for your most critical accounts from a clean device.
Is Chrome auto-update disabled?
Chrome auto-updates by default, but enterprise admins can disable updates via group policy. If you are on a managed device and the update prompt does not appear, check with your IT administrator. Individual users on personal devices can verify auto-update status by ensuring Chrome is not running in a controlled folder or that a third-party update blocker is not active.
What browsers handle zero-days better?
All Chromium-based browsers (Edge, Brave, Opera) share the same underlying engine and are affected by this vulnerability. Firefox uses a different rendering engine (Gecko) and is not affected by CVE-2026-2441 specifically. However, no browser is immune to all zero-days — switching browsers reduces exposure to this specific flaw but does not eliminate browser-based risk entirely. Keeping whichever browser you use updated remains the most effective defense.
How to remove Chrome unsafe software?
Chrome has a built-in cleanup tool. Go to Settings > Advanced > Reset and clean up > Clean up computer. Chrome will scan for and remove unwanted software that modifies browser behavior. After the cleanup, restart Chrome and run the emergency update if you have not already done so.