Share
## https://sploitus.com/exploit?id=1753A83F-4AED-5BC1-9CC1-301410739590
# CVE-2026-2441 โ€” Chrome CSSFontFeatureValuesMap Use-After-Free

**CVSS 8.8 (High)** | **Actively Exploited in the Wild** | **Renderer RCE (Sandboxed)**

A use-after-free vulnerability in Google Chrome's Blink CSS engine that allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page.

## Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-2441 |
| **CVSS** | 8.8 (High) |
| **Type** | Use-After-Free (CWE-416) |
| **Component** | Blink CSS โ€” `CSSFontFeatureValuesMap` |
| **Source File** | `third_party/blink/renderer/core/css/css_font_feature_values_map.cc` |
| **Fix Commit** | `63f3cb4864c64c677cd60c76c8cb49d37d08319c` |
| **Reporter** | Shaheen Fazim (2026-02-11) |
| **Patch Date** | 2026-02-13 |
| **In-the-Wild** | Yes โ€” Google confirmed active exploitation |

## Affected Versions

| Platform | Vulnerable | Fixed |
|----------|-----------|-------|
| Windows / macOS (Stable) | = 145.0.7632.75 |
| Linux (Stable) | = 144.0.7559.75 |
| Windows / macOS (Extended Stable) | = 144.0.7559.177 |
| Chromium-based browsers (Edge, Brave, Opera, Vivaldi) | Check vendor advisory | Varies |

## Root Cause

`FontFeatureValuesMapIterationSource` stored a **raw pointer** (`const FontFeatureAliases* aliases_`) to the internal `FontFeatureAliases` HashMap. When the map is mutated during iteration via `set()` or `delete()`, the HashMap rehashes โ€” allocating new storage and freeing the old. The raw pointer becomes **dangling**, and the next `FetchNextItem()` call reads from freed memory.

### Vulnerable Code Path

```
CreateIterationSource()
  โ†’ FontFeatureValuesMapIterationSource(map, aliases_)
  โ†’ aliases_ = raw pointer to internal HashMap
  โ†’ iterator_ = aliases_->begin()

FetchNextItem()
  โ†’ reads iterator_->key  (through aliases_)

If map.set() / map.delete() is called between iterations:
  โ†’ HashMap rehashes (new alloc, old freed)
  โ†’ aliases_ โ†’ dangling pointer
  โ†’ iterator_ โ†’ invalidated
  โ†’ Next FetchNextItem() โ†’ USE-AFTER-FREE
```

### Fix

```diff
- const FontFeatureAliases* aliases_;   // raw pointer โ†’ dangling after rehash
+ const FontFeatureAliases aliases_;    // deep copy โ†’ immune to rehash
```

The fix replaces the raw pointer with a **deep copy** of the HashMap. Even if the original map rehashes, the iterator operates on its own copy, preventing the dangling pointer.

## Proof of Concept

### Usage

1. Open `poc.html` in a **vulnerable** Chrome version (= 145.0.7632.75 (patched) | No crash โ€” PoC runs to completion, all entries are read normally. |

### Screenshot (Unpatched Chrome โ€” Crash)

When opened in a vulnerable Chrome version, the renderer process crashes with `STATUS_ACCESS_VIOLATION`:

```
Can't open this page

Error code: STATUS_ACCESS_VIOLATION
```

This confirms the UAF is triggered โ€” the dangling pointer accesses freed/unmapped memory, causing the renderer process to terminate.

## How the PoC Works

The PoC triggers the UAF through **three independent methods**:

### Method 1: `entries()` Iterator + Mutation Loop

```javascript
const iterator = map.entries();
while (step = 145.0.7632.75 (Windows/macOS) or >= 144.0.7559.75 (Linux)
2. **Update Chromium-based browsers** (Edge, Brave, Opera, Vivaldi) when vendor patches are available
3. **Verify Site Isolation** is enabled (`chrome://flags/#site-isolation-trial-opt-out`)
4. **Monitor endpoints** for Chrome versions below the fixed builds

## Timeline

| Date | Event |
|------|-------|
| 2026-02-11 | Vulnerability reported by Shaheen Fazim |
| 2026-02-13 | Google releases Chrome 145.0.7632.75/76 (Windows/macOS), 144.0.7559.75 (Linux) |
| 2026-02-13 | Google acknowledges in-the-wild exploitation |
| 2026-02-16 | Vivaldi and Opera ship fixes |

## References

- [Google Chrome Releases Blog](https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html)
- [NVD โ€” CVE-2026-2441](https://nvd.nist.gov/vuln/detail/cve-2026-2441)
- [The Hacker News โ€” Chrome Zero-Day Under Active Attack](https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html)
- [Chromium Issue Tracker](https://issues.chromium.org/) (restricted)

## Support

If you find this research useful, consider buying me a coffee:

[![Buy Me A Coffee](https://img.shields.io/badge/Buy%20Me%20A%20Coffee-ffdd00?style=for-the-badge&logo=buy-me-a-coffee&logoColor=black)](https://buymeacoffee.com/debojeet_bhowmick)

## Disclaimer

This proof of concept is provided for **educational and authorized security research purposes only**. Use of this PoC against systems without explicit permission is illegal and unethical. The author is not responsible for any misuse.

## License

MIT