## https://sploitus.com/exploit?id=1753A83F-4AED-5BC1-9CC1-301410739590
# CVE-2026-2441 โ Chrome CSSFontFeatureValuesMap Use-After-Free
**CVSS 8.8 (High)** | **Actively Exploited in the Wild** | **Renderer RCE (Sandboxed)**
A use-after-free vulnerability in Google Chrome's Blink CSS engine that allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page.
## Vulnerability Details
| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-2441 |
| **CVSS** | 8.8 (High) |
| **Type** | Use-After-Free (CWE-416) |
| **Component** | Blink CSS โ `CSSFontFeatureValuesMap` |
| **Source File** | `third_party/blink/renderer/core/css/css_font_feature_values_map.cc` |
| **Fix Commit** | `63f3cb4864c64c677cd60c76c8cb49d37d08319c` |
| **Reporter** | Shaheen Fazim (2026-02-11) |
| **Patch Date** | 2026-02-13 |
| **In-the-Wild** | Yes โ Google confirmed active exploitation |
## Affected Versions
| Platform | Vulnerable | Fixed |
|----------|-----------|-------|
| Windows / macOS (Stable) | = 145.0.7632.75 |
| Linux (Stable) | = 144.0.7559.75 |
| Windows / macOS (Extended Stable) | = 144.0.7559.177 |
| Chromium-based browsers (Edge, Brave, Opera, Vivaldi) | Check vendor advisory | Varies |
## Root Cause
`FontFeatureValuesMapIterationSource` stored a **raw pointer** (`const FontFeatureAliases* aliases_`) to the internal `FontFeatureAliases` HashMap. When the map is mutated during iteration via `set()` or `delete()`, the HashMap rehashes โ allocating new storage and freeing the old. The raw pointer becomes **dangling**, and the next `FetchNextItem()` call reads from freed memory.
### Vulnerable Code Path
```
CreateIterationSource()
โ FontFeatureValuesMapIterationSource(map, aliases_)
โ aliases_ = raw pointer to internal HashMap
โ iterator_ = aliases_->begin()
FetchNextItem()
โ reads iterator_->key (through aliases_)
If map.set() / map.delete() is called between iterations:
โ HashMap rehashes (new alloc, old freed)
โ aliases_ โ dangling pointer
โ iterator_ โ invalidated
โ Next FetchNextItem() โ USE-AFTER-FREE
```
### Fix
```diff
- const FontFeatureAliases* aliases_; // raw pointer โ dangling after rehash
+ const FontFeatureAliases aliases_; // deep copy โ immune to rehash
```
The fix replaces the raw pointer with a **deep copy** of the HashMap. Even if the original map rehashes, the iterator operates on its own copy, preventing the dangling pointer.
## Proof of Concept
### Usage
1. Open `poc.html` in a **vulnerable** Chrome version (= 145.0.7632.75 (patched) | No crash โ PoC runs to completion, all entries are read normally. |
### Screenshot (Unpatched Chrome โ Crash)
When opened in a vulnerable Chrome version, the renderer process crashes with `STATUS_ACCESS_VIOLATION`:
```
Can't open this page
Error code: STATUS_ACCESS_VIOLATION
```
This confirms the UAF is triggered โ the dangling pointer accesses freed/unmapped memory, causing the renderer process to terminate.
## How the PoC Works
The PoC triggers the UAF through **three independent methods**:
### Method 1: `entries()` Iterator + Mutation Loop
```javascript
const iterator = map.entries();
while (step = 145.0.7632.75 (Windows/macOS) or >= 144.0.7559.75 (Linux)
2. **Update Chromium-based browsers** (Edge, Brave, Opera, Vivaldi) when vendor patches are available
3. **Verify Site Isolation** is enabled (`chrome://flags/#site-isolation-trial-opt-out`)
4. **Monitor endpoints** for Chrome versions below the fixed builds
## Timeline
| Date | Event |
|------|-------|
| 2026-02-11 | Vulnerability reported by Shaheen Fazim |
| 2026-02-13 | Google releases Chrome 145.0.7632.75/76 (Windows/macOS), 144.0.7559.75 (Linux) |
| 2026-02-13 | Google acknowledges in-the-wild exploitation |
| 2026-02-16 | Vivaldi and Opera ship fixes |
## References
- [Google Chrome Releases Blog](https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html)
- [NVD โ CVE-2026-2441](https://nvd.nist.gov/vuln/detail/cve-2026-2441)
- [The Hacker News โ Chrome Zero-Day Under Active Attack](https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html)
- [Chromium Issue Tracker](https://issues.chromium.org/) (restricted)
## Support
If you find this research useful, consider buying me a coffee:
[](https://buymeacoffee.com/debojeet_bhowmick)
## Disclaimer
This proof of concept is provided for **educational and authorized security research purposes only**. Use of this PoC against systems without explicit permission is illegal and unethical. The author is not responsible for any misuse.
## License
MIT