Google has released emergency updates for a critical Chrome vulnerability that is being actively exploited in zero-day attacks.
The vulnerability received a high CVSS score of 8.8 and affects Chrome’s V8 JavaScript engine. Security researcher Shaheen Fazim reported the use-after-free vulnerability. The issue lies in an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome’s implementation of CSS font feature values. Successful exploitation could allow attackers to cause browser crashes, rendering issues, data corruption, or other undefined behavior.
Despite the patch, Google points to remaining work. So it may be a temporary fix, or related issues may still need to be addressed.
Patch available for multiple platforms
Google has fixed the vulnerability for users in the Stable Desktop channel. New versions will be rolled out to Windows, macOS (145.0.7632.75/76), and Linux users (144.0.7559.75) worldwide in the coming days or weeks.
Users who do not want to update manually can also have Chrome automatically check for updates via chrome://settings/help. The browser will install the update on the next restart.
Although Google found evidence of attackers exploiting this zero-day flaw in the wild, the company did not share additional details about these incidents. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the statement said.
This is the first actively exploited Chrome security vulnerability to be patched since the beginning of 2026. Last year, Google addressed a total of eight zero-days that were exploited in the wild.
Tip: Malicious Chrome extensions disguise themselves as proxy services