Online Platform
Exploits

Chrome CSSFontFeatureValuesMap Use After Free Zero Day

Published  ·  8 min read

Chrome CSSFontFeatureValuesMap use after free

A potential compromise in the security of Chrome's CSS Engine, contains a vulnerability (CVE-2026-2441) which was found before even anyone had ever realized.

This vulnerability is a CSS Font Feature vulnerability, which when used, results in the use of a font after it has already been removed from the CSS Font Feature. Not only does this vulnerability impact Google Chrome, but also any web browsers built off of the same project as it uses. 

There is a very serious risk of potential exploitation of the CVSS for security vulnerabilities by being assigned an 8.8 out of 10 score due to being rated “high,” therefore you should take caution when using this browser for browser execution (CSS font features) as they allow for running arbitrary executables on the Google Chrome box.

The Google Chrome application patch to resolve this vulnerability was made public and available for users in release candidate version RC145.0.7632.75.

What Is the Vulnerability?

Quick Security Checklist

  • Scan your system or website
  • Update all dependencies
  • Change passwords
  • Enable 2FA

The Chrome CSSFontFeatureValuesMap use after free vulnerability exists in Blink, Google's rendering engine. Specifically, the flaw resides in the CSSFontFeatureValuesMap implementation, which handles CSS font feature values.

Here is the technical problem. When JavaScript creates an iterator over a CSSFontFeatureValuesMap object and the underlying HashMap mutates during iteration, a rehash operation occurs. That rehash frees the original memory. However, the iterator still holds a raw pointer to the now-freed memory.

That dangling pointer is the Chrome CSSFontFeatureValuesMap use after free condition. When the iterator continues to access the freed memory, the browser crashes or worse, executes attacker-controlled code.
The Chrome CSSFontFeatureValuesMap Use After Free vulnerability was identified and disclosed by security researcher nu11secur1ty who created a proof of concept to show the crash.

Root Cause Analysis

CCCSSFontFeatureValuesMap's use after free vulnerability stems from a point located in the Blink codebase: 
third_party/blink/renderer/core/css/css_font_feature_values_map.cc.

The class FontFeatureValuesMapIterationSource has a raw pointer member (const FontFeatureAliases* aliases_) that points to the internal HashMap. The designer of this object assumed that the internal HashMap would not change while this object iterates over elements contained within the HashMap (e.g., the data would remain the same).

That assumption was wrong.
When the set() or delete() methods mutate the map during iteration, the HashMap rehashes. The old storage is freed. The iterator's raw pointer now points to freed memory. The Chrome CSSFontFeatureValuesMap use after free condition is triggered.

The fix was straightforward. Google committed 63f3cb4864c64c677cd60c76c8cb49d37d08319c, which replaces the raw pointer with a deep copy (const FontFeatureAliases aliases_). The iterator no longer depends on the original map's memory.

Affected Versions and Browsers

The Chrome CSSFontFeatureValuesMap use after free vulnerability affects a wide range of Chromium-based browsers:
• Google Chrome versions 144.x and earlier
• Google Chrome versions before 145.0.7632.75
• Microsoft Edge prior to the Chromium 145 update
• Opera prior to version 127.0.5778.64
• Any Chromium-based browser using the affected Blink versions

If you are running Chrome 144 or any older version, the Chrome CSSFontFeatureValuesMap use after free vulnerability is present on your system.

Exploitation in the Wild

The use of free Chrome CSSFontFeatureValuesMap has been empirically established to be a real-world exploit. Cybercriminals did to Google a zero-day attack and were using it until the fix became available.

Exploits work using:
Step 1: Creating a target map. The attacker injects CSS @font-feature-values rules into the page.
Step 2: Creating an iterator. JavaScript code creates an iterator over the CSSFontFeatureValuesMap. The Chrome CSSFontFeatureValuesMap use after free vulnerability begins here, as the iterator captures a raw pointer to the HashMap.
Step 3: Mutating the map during iteration. The attacker calls set() or delete() on the map while the iterator is still active. This triggers a rehash and frees the original memory.
Step 4: Accessing the dangling pointer. The iterator continues to iterate, accessing freed memory. The Chrome CSSFontFeatureValuesMap use after free condition allows attacker-controlled memory layout.
Step 5: Arbitrary code execution. Crafted heap grooming can replace the freed memory with attacker-controlled data, leading to code execution inside the Chrome sandbox.

The proof-of-concept published by nu11secur1ty demonstrates a reliable crash. Further refinement could turn the Chrome CSSFontFeatureValuesMap use after free vulnerability into a full exploit chain.

Why This Vulnerability Is Dangerous

The Chrome CSSFontFeatureValuesMap use after free vulnerability has several characteristics that make it particularly dangerous.
1. Actively exploited as a zero-day. Attackers found and used the Chrome CSSFontFeatureValuesMap use after free flaw before Google did. That means real attacks were in progress while most users were still vulnerable.

2. Affects Every Major Web Browser. There are many major web browsers today — Chrome, Edge, Opera, and all other mergeed Chromium browsers utilize some of the same vulnerable code as Chrome. Chrome’s CSSFontFeatureValuesMap Use After Free Vulnerability Isn’t Just Affected by Chrome.

3. Remote Exploitation by an Attacker. An attacker only has to get the victim to go to a malicious web page. There is no need to have physical access. Chrome’s CSSFontFeatureValuesMap Use After Free Vulnerability Is Remote-Executable.

4. Sandbox escape potential. While the initial code execution occurs inside the Chrome sandbox, the Chrome CSSFontFeatureValuesMap use after free vulnerability can be chained with a separate sandbox escape vulnerability for full system compromise.

How to Protect Your Browser

The Chrome CSSFontFeatureValuesMap use after free vulnerability is patched. Here is what to do.
1. Update Chrome immediately. Go to Settings → About Google Chrome. The browser will check for updates. Install version 145.0.7632.75 or later. The Chrome CSSFontFeatureValuesMap use after free vulnerability is fixed in this version.

2. Update Edge, Opera, and other Chromium browsers. The Chrome CSSFontFeatureValuesMap use after free flaw affects all Chromium-based browsers. Update each browser individually.

3. Restart your browser after updating. The patch only takes effect after a full restart. The Chrome CSSFontFeatureValuesMap use after free vulnerability remains exploitable until you restart.

4. Enable Automatic Updates. The recent day-zero compromised attack on the CSS Font Feature Value Map in Chrome allowed the installation of malware while you were browsing online; therefore, it is better to begin working on the installation of the latest version of Chrome as soon as possible. Always set up your browser such that it can automatically update so that you will consistently have the most current release of Chrome installed.

5. If you cannot upgrade to the latest version of Chrome because you are having compatibility problems with an older version of Chrome, then you may choose to use one of the other popular web browsers until you are able to install a new release for your version of Chrome. You may want to download a completely fresh copy of your current browser, or you may also wish to attempt to repair your current ID using a repair tool.

Technical Demonstration

The proof-of-concept for the Chrome CSSFontFeatureValuesMap use after free vulnerability is relatively simple. 

The exploit code:
1. Creates a target stylesheet with @font-feature-values rules
2. Creates an iterator over the resulting CSSFontFeatureValuesMap
3. Mutates the map by deleting keys and inserting many new entries
4. Continues iterating after the rehash

When the Chrome CSSFontFeatureValuesMap use after free vulnerability is present, the browser crashes. When patched, the page survives.
Users can test their own browsers using the published PoC. However, be aware that intentionally triggering the Chrome CSSFontFeatureValuesMap use after free vulnerability may crash the browser tab.

The Bigger Picture: Use After Free in Browsers

The CSSFontFeatureValuesMap use-after-free vulnerability present in Google Chrome is not a unique occurrence. Use After Free bugs are among the most common memory corruption issues we see with internet browsers.

Use After Free errors happen when a program attempts to use a pointer to memory that has since been freed. Attackers are usually able to exploit such bugs when they are able to control what data is placed in the freed memory area, so control of a crash can turn into control of executing arbitrary code.

The CSSFontFeatureValuesMap use-after-free vulnerability within Chrome is also significant because it is part of an obscure CSS feature and thus was exploited prior to being discovered by Google's internal security teams by attackers who had found the vulnerability, weaponized it, and then subsequently exploited it.

Upon learning of the vulnerability, Google's patch process was extremely expedited. The fix to the vulnerability involved replacing the raw pointer by instead using a deep copy, avoiding the dangling reference entirely.

Final Thoughts

The Chrome CSSFontFeatureValuesMap use after free vulnerability is another reminder that browser security is an ongoing arms race. Attackers find flaws. Vendors patch them. Attackers find new flaws.

The Chrome CSSFontFeatureValuesMap use after free zero-day was exploited in the wild. That means real users with unpatched Chrome versions were compromised. The only defense is prompt updating.

Check your Chrome version right now. If you are not on 145.0.7632.75 or later, the Chrome CSSFontFeatureValuesMap use after free vulnerability is still present on your system. Update, restart, and browse safely.

FAQ Section

Q1: Have there been successful attacks demonstrated with CVE-2026-2441 exploited against production systems? 
Yes, attackers have successfully attacked production with CVE-2026-2441 using a use after free in Google Chrome; proof of concept exploits were available to use before fix was available for Google Chrome 145.0.7632.75.

Q2: How will I know if I am at risk from CVE-2026-2441?
You can check using the proof of concept exploit released by nu11secur1ty; if your browser closes (or locks up), then there is still a vulnerability in your browser due to the Chrome CSSFontFeatureValuesMap use after free vulnerability. If it does not shut down the page or lock up, then your browser has been patched.

Source: Exploit DB 
Keywords
Share LinkedIn
Fake Reputation Campaign Pushes Crypto Clipper Malware Hacking

Fake Reputation Campaign Pushes Crypto Clipper Malware

Jun 18, 2026
Microsoft Confirms RoguePlanet Defender Zero-Day Exploits

Microsoft Confirms RoguePlanet Defender Zero-Day

Jun 18, 2026
APT Explained: Advanced Persistent Threat Interview Questions Awareness

APT Explained: Advanced Persistent Threat Interview Questions

Jun 18, 2026
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.