Zero-day CSS: CVE-2026-2441 exists in the wild

> That's pretty bad! I wonder what kind of bounty went to the researcher.

I'd be surprised if it's above 20K$.

Bug bounties rewards are usually criminally low; doubly so when you consider the efforts usually involved in not only finding serious vulns, but demonstrating a reliable way to exploit them.

So basically Firefox is not affected ?

Presumably this affects all electron apps which embed chrome too? Don’t they pin the chrome version?

Yeah, but lets keeping downplaying use-after-free as something not worth eliminating in 21st century systems languages.

It would also require a sandbox escape to be a meaningful vulnerability.

Unfortunately, "seen in the wild" likely means that they _also_ had a sandbox escape, which likely isn't revealed publicly because it's not a vulnerability in properly running execution (i.e., if the heap were not already corrupted, no vulnerability exists).

"Actually, you forgot Brave."

Chromium is pretty aggressively fuzzed. There aren't a lot of dark corners that can't be reached via a sufficiently aggressive fuzzer.

I think they meant something like the CSS parser, or the CSS Object Model (CSSOM).

Why ?

Browser exploits are almost always two steps: you exploit a renderer bug in order to get arbitrary code execution inside a sandboxed process, and then you use a second sandbox escape exploit in order to gain arbitrary code execution in the non-sandboxed broker process. The first line of that (almost definitely AI generated) summary is the bad part, and means that this is one half of a full browser compromise chain. The fact that you still need a sandbox escape doesn't mean that it is harmless, especially since if it's being exploited in the wild that means whoever is using it probably does also have a sandbox escape they are pairing with it.

> Don't we have a bunch of tools that should create memory-safish binaries by applying the same validation checks that memory-safe languages get for free purely from their design?

No, we don't. All of the ones we have are heavily leveraged in Chromium or were outright developed at Google for similar projects. 10s of billions are spent to try to get Chromium to not have these vulnerabilities, using those tools. And here we are.

I'll elaborate a bit. Things like sanitizers largely rely on test coverage. Google spends a lot of money on things like fuzzing, but coverage is still a critical requirement. For a massive codebase, gettign proper coverage is obviously really tricky. We'll have to learn more about this vulnerability but you can see how even just that limitation alone is sufficient to explain gaps.

"No-style" would break the modern web even more than No-Script does, unfortunately. CSS is just too integral to layout and functionality now.

A more robust alternative to disabling features is isolating where they execute. Instead of stripping out CSS/JS and breaking sites, you stream the browser session from a remote server.

If a zero-day like CVE-2026-2441 hits the parser, it crashes (or exploits) the remote instance, not your local machine. You get to keep the rich web experience (CSS, JS, fonts) without trusting your local CPU with the parsing logic. It’s basically "air-gapping" your browser tab. Not perfect, as attackers could still add a third step to compromise your remote and flow back to your local, but isolation like this adds defense in depth that then needs to compromise a much narrower attack surface (the local-remote tunnel) than if you ran it locally.

It's also been ridiculously slow for a month or two now :/ not a good time to be working on some relatively intricate performance optimisation with DevTools taking 1-4 seconds to even start the performance recording.

Here's one: https://github.com/huseyinstif/CVE-2026-2441-PoC

I thought OSS-fuzz still uses the aforementioned sanitizers and fuzz engines. It is not by itself a fuzzing engine.

You joke, but a substantial portion of the Blink engine was (re)written in garbage collected C++ to a similar effect.

They could just invest into Servo's and use that.

Yeah, Firefox uses a different CSS engine that doesn't automatically have this same use-after-free.

It does, it's just that blog is for chrome so it doesn't mention other browsers.

"This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera"

why on earth would you even assume somthing like this?

honestly curious. do you think "based on chrome" means they forked the engine and not just "applied some UI skin"?

I've heard this sentiment a lot, that governments/secret agencies/whoever create zero-days intentionally, for their own use.

This is an interesting thought to me (like, how does one create a zero-day that doesn't look intentional?) but the more I think about it, the more I start to believe that this fully is not necessary. There are enough faulty humans and memory unsafe languages in the loop that there will always be a zero-day somewhere, you just need to find it.

(this isn't to say something like the NSA has never created or ordered the creation of a backdoor - I just don't think it would be in the form of an "unintentional" zero-day exploit)

It refers to your many days software is available for, with zero implying it is not yet out so you couldn't have installed a new version and that's what makes it a risky bug

The term has long watered-down to mean any vulnerability (since it was always a zero-day at some point before the patch release, I guess is those people's logic? idk). Fear inflation and shoehorning seems to happen to any type of scary/scarier/scariest attack term. Might be easiest not to put too much thought into media headlines containing 0day, hacker, crypto, AI, etc. Recently saw non-R RCEs and supply chain attacks not being about anyone's supply chain copied happily onto HN

Edit: fwiw, I'm not the downvoter

If you haven't seen news related to LLM generated bug reports, they are pretty disliked due to poor quality. So yes, a new LLM generated bug report era has begun, and the results so far have been moderator/developer burnout, increased time between real bugs being taken care of (as devs treat each submission as a true possible bug), and many projects no longer accepting bug reports. I have seen a couple anecdotal incidents when someone used LLMs to generate real bugs, one guy showing off a chain he made to HN, and that was really neat. LLMs aren't unable to make reports, but scammers and vibecoders see the dollar signs that they aren't going to put real effort in trying to get, and submit every response from a prompt similar to "provide me a bug report for [XX package/app]" in hopes that one pays out. The individuals I saw make real bug reports were already developers and were able to test out and iterate with the code the LLM provided, making connections of their own, just like any other person who uses LLMs responsibly instead of outsourcing thinking.

Absolutely nothing in the announcement or other publicly available source implies that, to my knowledge. Might as well speculate if a random passer-by on the street is secretly a martian.