DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2441: Font of Doom: Inside CVE-2026-2441 (Chrome Blink UAF)

#security #cve #cybersecurity

Font of Doom: Inside CVE-2026-2441 (Chrome Blink UAF)

Vulnerability ID: CVE-2026-2441
CVSS Score: 8.8
Published: 2026-02-13

In the sprawling, chaotic metropolis that is the Chromium codebase, even the most obscure CSS features can hide deadly traps. CVE-2026-2441 is a textbook Use-After-Free (UAF) vulnerability buried deep within the Blink rendering engine's handling of @font-feature-values. By exploiting a logic error in how iterators track underlying HashMaps during mutation, attackers can trigger memory corruption leading to Remote Code Execution (RCE) inside the renderer process. This isn't theoretical—Google has confirmed active exploitation in the wild.

TL;DR

A critical Use-After-Free in Chrome's Blink engine allows attackers to execute arbitrary code by manipulating CSS font feature maps. If you iterate over a map while modifying it, the backing storage gets freed, but the iterator doesn't get the memo. Confirmed active exploitation.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-416 (Use After Free)
  • CVSS: 8.8 (High)
  • Attack Vector: Network (Web Page)
  • Privileges Required: None
  • User Interaction: Required (Visit Page)
  • Exploit Status: Active / Weaponized
  • EPSS Score: 0.00531 (66.81%)
  • KEV Listed: Yes (2026-02-17)

Affected Systems

  • Google Chrome (Windows/macOS) < 145.0.7632.75
  • Google Chrome (Linux) < 144.0.7559.75
  • Microsoft Edge (Chromium) < 133.0.3065.92
  • Brave Browser < 1.75.180
  • Opera < 116.0.5366.82
  • Google Chrome: < 145.0.7632.75 (Fixed in: 145.0.7632.75)

Code Analysis

Commit: 63f3cb4

Fix UAF in CSSFontFeatureValuesMap by using member Iterator

--- a/third_party/blink/renderer/core/css/css_font_feature_values_map.cc
+++ b/third_party/blink/renderer/core/css/css_font_feature_values_map.cc
- const FontFeatureAliases* aliases_;
+ // Replaced raw pointer logic with safe iteration
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of concept demonstrating renderer crash and UAF trigger

Mitigation Strategies

  • Implement strong reference counting for iterators.
  • Use snapshotting when iterating over mutable containers exposed to JS.
  • Fuzz CSSOM interfaces with mutation-heavy patterns.

Remediation Steps:

  1. Apply vendor patch immediately (Chrome 145.0.7632.75+).
  2. Restart the browser instance to load the new binary.
  3. Monitor crash logs for unexpected renderer terminations.

References

Read the full report for CVE-2026-2441 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)