Okay, take a deep breath.
We’ll have some enjoyable understanding this vulnerability when you ensure that your browser isn’t affected, utilizing the desk under.
| Chromium-based browser | Am I protected? |
|---|---|
| Google Chrome | Make sure you’re operating model 145.7632.75 or later. Go to Settings > About Chrome and verify for updates. |
| Microsoft Edge | Make sure you’re operating on model 145.0.3800.58 or later. Click on on the three dots (…) on the very right-hand aspect of the window. Click on on Assist and Suggestions > About Microsoft Edge. |
| Vivaldi | Make sure you’re operating on model 7.8 or later. Click on the V icon (menu) within the top-left nook, choose Assist > About. |
| Courageous | Make sure you’re operating on model v1.87.188 or later. Click on the hamburger menu on the highest proper, choose Assist > About Courageous. |
So, you up to date your browser and stated a prayer. Once you’re in a position to string complete sentences collectively once more, your first query is: Has CSS actually had the doubtful honor of being the reason for the primary zero-day exploit in Chromium-based browsers for 2026?
I imply, the Chrome replace channel says they mounted a high-severity vulnerability described as “[u]ser after free in CSS” … on Friday the 13th no much less! In case you can’t belief a launch with an outline and date like that, what are you able to belief? Google credit safety researcher Shaheen Fazim with reporting the exploit to Google. The dude’s LinkedIn says he’s knowledgeable bug hunter, and I’d say he deserves the highest attainable bug bounty for locating one thing that a authorities company is saying “in CSS in Google Chrome earlier than 145.0.7632.75 allowed a distant attacker to execute arbitrary code inside a sandbox by way of a crafted HTML web page.”
Is that this actually a CSS exploit?
One thing doesn’t add up. Even this safety researcher swears through the use of CSS as an alternative of JavaScript, so her security-minded readers don’t must allow JavaScript once they learn her weblog. She trusts the safety of CSS, although she understands it sufficient to create a pure CSS x86 emulator (sidenote: woah). Thus far, most of us have taken with no consideration that the attainable safety points in CSS are comparatively tame. Certainly we don’t abruptly reside in a world the place CSS can hijack somebody’s OS, proper?
Properly, for my part, the headlines describing the bug as a CSS exploit in Chrome are a bit clickbait-y, as a result of they make it sound like a pure CSS exploit, as if malicious CSS and HTML could be sufficient to carry out it. If I’m being trustworthy, after I first skimmed these articles within the morning earlier than dashing out to catch the practice to work, the way in which the articles had been worded made me think about malicious CSS like:
.malicious-class {
vulnerable-property: 'rm -rf *';
}Within the fictional, nightmare model of the bug that my malinformed creativeness had conjured, some such CSS may very well be “crafted” to inject that shell command someplace it will run on the sufferer’s machine. Even re-reading the studies extra rigorously, they really feel deliberately deceptive, and it wasn’t simply me. My security-minded good friend’s first query to me was, “However… isn’t CSS, like, tremendous validatable?” After which I dug deeper and discovered the CSS within the proof of idea for the exploit isn’t the malicious bit, which is why CSS validation wouldn’t have helped!
It doesn’t assist the misunderstanding when the SitePoint article about CVE-2026-2441 bizarrely lies to its readers about what this exploit is, as an alternative describing a distinct medium-severity bug that permits sending the rendered worth of an enter discipline to a malicious server by loading photos in CSS. That isn’t what this vulnerability is.
It’s probably not a CSS exploit within the sense that JavaScript is the half that exploits the bug. I’ll concede that the road of code that creates the situation obligatory for a malicious script to carry out this assault was in Google Chrome’s Blink CSS engine part, however the CSS concerned isn’t the malicious half.
So, how did the exploit work?
The CSS involvement within the exploit lies in the way in which Chrome’s rendering engine turns sure CSS right into a CSS object mannequin. Contemplate the CSS under:
@font-feature-values VulnTestFont {
@styleset {
entry_a: 1;
entry_b: 2;
entry_c: 3;
entry_d: 4;
entry_e: 5;
entry_f: 6;
entry_g: 7;
entry_h: 8;
}
}When this CSS is parsed, a CSSFontFeaturesValueMap is added to the gathering of CSSRule objects within the doc.styleSheets[0].cssRules. There was a bug in the way in which Chrome managed the reminiscence for the HashMap information construction underlying the JavaScript illustration of the CSSFontFeaturesValueMap, which inadvertently allowed a malicious script to entry reminiscence it shouldn’t have the ability to. This by itself isn’t enough to trigger hurt aside from crashing the browser, however it will possibly kind the idea for a Use After Free (UAF) exploit.
Chrome’s description of the patch mentions that “Google is conscious that an exploit for CVE-2026-2441 exists within the wild,” though for apparent causes, they’re coy in regards to the particulars for a full end-to-end exploit. Worryingly, @font-feature-values isn’t new — it’s been accessible since early 2023 — however the discovery of an end-to-end UAF exploit could also be current. It might make sense if the code that created the potential for this exploit is outdated, however somebody solely pulled off a working exploit lately. In case you have a look at this detailed rationalization of a 2020 Use After Free vulnerability in Chrome throughout the WebAudio API, you get the sense that accessing freed reminiscence is just one piece of the puzzle to get a UAF exploit working. Trendy working techniques create hoops that attackers need to undergo, which may make this sort of assault fairly arduous.
Actual-world examples of this sort of vulnerability get complicated, particularly in a Chrome vulnerability the place you may solely set off low-level statements not directly. But when you realize C and wish to perceive the essential rules with a simplified instance, you may do that coding problem. One other means to assist perceive the concepts is that this medium put up in regards to the current Chrome CSSFontFeaturesValueMap exploit, which features a cute analogy during which the pointer to the thing is sort of a leash you might be nonetheless holding even after you freed your canine — however an attacker hooks the leash to a cat as an alternative (often called kind confusion), so whenever you command your “canine” to bark, the attacker taught his cat to assume that “bark” command means to do one thing malicious as an alternative.
The world is protected once more, however for a way lengthy?
The one-line repair I discussed Chrome made was to alter the Blink code to work with a deep copy of the HashMap that underlies the CSSFontFeaturesValueMap relatively than a pointer to it, so there isn’t any chance of referencing freed reminiscence. Against this, it appears Firefox rewrote its CSS renderer in Rust and due to this fact tends to deal with reminiscence administration robotically. Chromium began to help the usage of Rust since 2023. One of many motivations talked about was “safer (much less complicated C++ general, no reminiscence security bugs in a sandbox both)” and to “enhance the safety (rising the variety of strains of code with out reminiscence security bugs, reducing the bug density of code) of Chrome.” Because it appears the UAF class of exploit has recurred in Chromium through the years, and these vulnerabilities are usually high-severity when found, a extra holistic strategy to defending in opposition to such vulnerabilities could be wanted, so I don’t need to freak you out with one other article like this.
