Okay, take a deep breath.
We’ll have some enjoyable understanding this vulnerability when you ensure that your browser isn’t affected, utilizing the desk beneath.
| Chromium-based browser | Am I secure? |
|---|---|
| Google Chrome | Make sure you’re working model 145.7632.75 or later. Go to Settings > About Chrome and verify for updates. |
| Microsoft Edge | Make sure you’re working on model 145.0.3800.58 or later. Click on on the three dots (…) on the very right-hand aspect of the window. Click on on Assist and Suggestions > About Microsoft Edge. |
| Vivaldi | Make sure you’re working on model 7.8 or later. Click on the V icon (menu) within the top-left nook, choose Assist > About. |
| Courageous | Make sure you’re working on model v1.87.188 or later. Click on the hamburger menu on the highest proper, choose Assist > About Courageous. |
So, you up to date your browser and mentioned a prayer. If you’re in a position to string complete sentences collectively once more, your first query is: Has CSS actually had the doubtful honor of being the reason for the primary zero-day exploit in Chromium-based browsers for 2026?
I imply, the Chrome replace channel says they mounted a high-severity vulnerability described as “[u]ser after free in CSS” … on Friday the 13th no much less! Should you can’t belief a launch with an outline and date like that, what are you able to belief? Google credit safety researcher Shaheen Fazim with reporting the exploit to Google. The dude’s LinkedIn says he’s knowledgeable bug hunter, and I’d say he deserves the highest attainable bug bounty for locating one thing that a authorities company is saying “in CSS in Google Chrome earlier than 145.0.7632.75 allowed a distant attacker to execute arbitrary code inside a sandbox through a crafted HTML web page.”
Is that this actually a CSS exploit?
One thing doesn’t add up. Even this safety researcher swears through the use of CSS as an alternative of JavaScript, so her security-minded readers don’t must allow JavaScript once they learn her weblog. She trusts the safety of CSS, regardless that she understands it sufficient to create a pure CSS x86 emulator (sidenote: woah). Up to now, most of us have taken without any consideration that the attainable safety points in CSS are comparatively tame. Certainly we don’t all of the sudden stay in a world the place CSS can hijack somebody’s OS, proper?
Effectively, in my view, the headlines describing the bug as a CSS exploit in Chrome are a bit clickbait-y, as a result of they make it sound like a pure CSS exploit, as if malicious CSS and HTML could be sufficient to carry out it. If I’m being sincere, once I first skimmed these articles within the morning earlier than speeding out to catch the prepare to work, the best way the articles had been worded made me think about malicious CSS like:
.malicious-class {
vulnerable-property: 'rm -rf *';
}Within the fictional, nightmare model of the bug that my malinformed creativeness had conjured, some such CSS may very well be “crafted” to inject that shell command someplace it will run on the sufferer’s machine. Even re-reading the reviews extra rigorously, they really feel deliberately deceptive, and it wasn’t simply me. My security-minded good friend’s first query to me was, “However… isn’t CSS, like, tremendous validatable?” After which I dug deeper and discovered the CSS within the proof of idea for the exploit isn’t the malicious bit, which is why CSS validation wouldn’t have helped!
It doesn’t assist the misunderstanding when the SitePoint article about CVE-2026-2441 bizarrely lies to its readers about what this exploit is, as an alternative describing a special medium-severity bug that enables sending the rendered worth of an enter subject to a malicious server by loading pictures in CSS. That isn’t what this vulnerability is.
It’s probably not a CSS exploit within the sense that JavaScript is the half that exploits the bug. I’ll concede that the road of code that creates the situation obligatory for a malicious script to carry out this assault was in Google Chrome’s Blink CSS engine element, however the CSS concerned isn’t the malicious half.
So, how did the exploit work?
The CSS involvement within the exploit lies in the best way Chrome’s rendering engine turns sure CSS right into a CSS object mannequin. Think about the CSS beneath:
@font-feature-values VulnTestFont {
@styleset {
entry_a: 1;
entry_b: 2;
entry_c: 3;
entry_d: 4;
entry_e: 5;
entry_f: 6;
entry_g: 7;
entry_h: 8;
}
}When this CSS is parsed, a CSSFontFeaturesValueMap is added to the gathering of CSSRule objects within the doc.styleSheets[0].cssRules. There was a bug in the best way Chrome managed the reminiscence for the HashMap knowledge construction underlying the JavaScript illustration of the CSSFontFeaturesValueMap, which inadvertently allowed a malicious script to entry reminiscence it shouldn’t have the ability to. This by itself isn’t adequate to trigger hurt aside from crashing the browser, however it might probably kind the premise for a Use After Free (UAF) exploit.
Chrome’s description of the patch mentions that “Google is conscious that an exploit for CVE-2026-2441 exists within the wild,” though for apparent causes, they’re coy in regards to the particulars for a full end-to-end exploit. Worryingly, @font-feature-values isn’t new — it’s been obtainable since early 2023 — however the discovery of an end-to-end UAF exploit could also be current. It will make sense if the code that created the potential of this exploit is outdated, however somebody solely pulled off a working exploit not too long ago. Should you take a look at this detailed clarification of a 2020 Use After Free vulnerability in Chrome throughout the WebAudio API, you get the sense that accessing freed reminiscence is just one piece of the puzzle to get a UAF exploit working. Trendy working methods create hoops that attackers must undergo, which might make this type of assault fairly arduous.
Actual-world examples of this type of vulnerability get advanced, particularly in a Chrome vulnerability the place you possibly can solely set off low-level statements not directly. But when you understand C and wish to perceive the fundamental ideas with a simplified instance, you possibly can do that coding problem. One other method to assist perceive the concepts is that this medium submit in regards to the current Chrome CSSFontFeaturesValueMap exploit, which features a cute analogy during which the pointer to the item is sort of a leash you’re nonetheless holding even after you freed your canine — however an attacker hooks the leash to a cat as an alternative (often called sort confusion), so if you command your “canine” to bark, the attacker taught his cat to suppose that “bark” command means to do one thing malicious as an alternative.
The world is secure once more, however for the way lengthy?
The one-line repair I discussed Chrome made was to alter the Blink code to work with a deep copy of the HashMap that underlies the CSSFontFeaturesValueMap reasonably than a pointer to it, so there isn’t any chance of referencing freed reminiscence. In contrast, it appears Firefox rewrote its CSS renderer in Rust and due to this fact tends to deal with reminiscence administration routinely. Chromium began to assist the usage of Rust since 2023. One of many motivations talked about was “safer (much less advanced C++ general, no reminiscence security bugs in a sandbox both)” and to “enhance the safety (growing the variety of strains of code with out reminiscence security bugs, lowering the bug density of code) of Chrome.” Because it appears the UAF class of exploit has recurred in Chromium through the years, and these vulnerabilities are usually high-severity when found, a extra holistic method to defending towards such vulnerabilities is perhaps wanted, so I don’t must freak you out with one other article like this.
