Exploit available for new Chrome zero-day vulnerability, says Google

Threat actors now have the ability to exploit a new zero-day vulnerability in the Chrome browser, Google has advised IT administrators.

The warning comes after Google released a patch for Chrome to plug a use after free memory vulnerability (CVE-2026-2441) in cascading style sheets (CSS), which means the browser’s CSS engine isn’t properly managing memory and can be exploited by a hacker.

If not patched, it allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. The vulnerability is rated at High in severity.

Browser zero days are never good, because it’s trivial for criminals to use poisoned ads to try to steer victims with vulnerable browsers to websites containing malicious code, said David Shipley, head of Canadian security awareness training provider Beauceron Security. 

In this case, it looks like this is only a partial fix for the vulnerability in progress, and Google is being a bit tight-lipped about how bad this bug was, and all the things it could be used for beyond crashing the browser and corrupting data. But given there are exploits in the wild, and Google says it’s waiting until the majority of users are patched before getting into more details, there’s clearly something more interesting behind this one.” 

Getting fixes to enterprise browsers is still not as easy as it should be, he added, and usually involves expensive tools or complex workflows that most smaller organizations don’t have. 

Google, however, provides extensive advice for administrators on managing Chrome updates.

Read the Full Story at CSO Online