MultiApp-CVE-2026-2441

Overview 

Google has disclosed a high-severity vulnerability, CVE-2026-2441, affecting the Chromium project. This is a use-after-free (UAF) vulnerability specifically within the CSS engine of Google Chrome, specifically involving the CSSFontFeatureValuesMap. An attacker can exploit this flaw via a specially crafted HTML page to cause heap corruption. This could potentially lead to unauthorized code execution inside a browser sandbox. CVE-2026-2441 has been patched in Google Chrome (Android): 145.0.7632.109 and above. A patch for Microsoft Edge (Android) is currently unavailable. Updates will be deployed as soon as the fix is finalized by Microsoft.

United States government organizations following CISA frameworks should have all vulnerable devices patched by March 10, 2026. While this mandate applies to federal agencies, enterprise organizations are strongly advised to follow the same timeline.

Lookout Analysis

The exploit poses a maximum risk to Confidentiality, Integrity, and Availability. Successful exploitation allows unauthorized access to sensitive data—such as saved passwords and session cookies—while enabling attackers to inject malicious scripts into other websites or trigger persistent application crashes on mobile devices.

The exploitation of CVE-2026-2441 typically follows these five steps:

Exploitation Lifecycle:

1. Luring: The user is directed to a malicious website containing crafted CSS/HTML.
2. Freeing: A logic error in the CSS engine "frees" a memory block while a pointer is still active.
3. Grooming: The attacker "sprays" the heap to fill the vacated slot with a malicious "fake" object.
4. Redirecting: The browser attempts to use the original pointer, unknowingly executing instructions from the fake object.
5. Executing: The attacker achieves Remote Code Execution (RCE), leading to data exfiltration or further system compromise.