Zero‑Day Use‑After‑Free in Chrome’s CSSFontFeatureValuesMap Enables Remote Code Execution
What Happened — A use‑after‑free (UAF) vulnerability (CVE‑2026‑2441) was discovered in the Blink CSS engine of Google Chrome 145.0.7632.75 and earlier Chromium‑based browsers. The flaw allows an attacker to craft a malicious web page that triggers arbitrary code execution inside the browser sandbox. The exploit was observed in the wild before a patch was released.
Why It Matters for TPRM —
- Browser‑based attacks can compromise any endpoint that accesses untrusted web content, expanding the attack surface of third‑party SaaS and cloud services.
- Exploited zero‑days bypass traditional perimeter defenses, requiring vendors to demonstrate rapid patching and robust vulnerability management.
- Persistent exploitation may lead to credential theft, data exfiltration, or lateral movement within a partner’s network.
Who Is Affected — Enterprises across all sectors using Chrome, Microsoft Edge (pre‑Chromium 145), Opera, or any Chromium‑based browser on Windows 11, Linux, or macOS.
Recommended Actions —
- Verify that all browsers are updated to Chrome 145.0.7632.75 or later (or equivalent patched versions of Edge/Opera).
- Enforce strict web‑content security policies (CSP) and enable site isolation where possible.
- Review endpoint detection and response (EDR) rules for anomalous sandbox activity.
- Confirm that third‑party vendors have applied the patch to any internal browsers or embedded Chromium components.
Technical Notes — The flaw resides in css_font_feature_values_map.cc; an iterator holds a raw pointer to a HashMap that is freed during a rehash when the map is mutated, leading to a UAF. Exploitation yields arbitrary code execution within the Chrome sandbox (CVSS 8.8 High). Patch replaces the raw pointer with a deep copy. Source: Exploit‑DB 52542