25 comments

[ 4.4 ms ] story [ 40.7 ms ] thread
(comment deleted)
"Use after free in CSS" is a funny description to see.
"Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."

That's pretty bad! I wonder what kind of bounty went to the researcher.

I wonder if this was found with LLM assistance, if yes, with which one and is it a one-off or does it mark a start of a new era (I assume it does).
Devtools is seemingly partially broken in this version, if I have devtools open on a reasonably dynamic web app Chrome will crash within a minute or two
The fact that these still show up is pretty wild to me. Don't we have a bunch of tools that should create memory-safish binaries by applying the same validation checks that memory-safe languages get for free purely from their design?

I get that css has changed a lot over the years with variables, scopes and adopting things from less/sass/coffee, but people use no-script for the reason because javascript is risky, but what if css can be just as risky... time to also have no-style?

Honestly, pretty excited for the full report since it's either stupid as hell or a multi-step attack chain.

"No-style" would break the modern web even more than No-Script does, unfortunately. CSS is just too integral to layout and functionality now.

A more robust alternative to disabling features is isolating where they execute. Instead of stripping out CSS/JS and breaking sites, you stream the browser session from a remote server.

If a zero-day like CVE-2026-2441 hits the parser, it crashes (or exploits) the remote instance, not your local machine. You get to keep the rich web experience (CSS, JS, fonts) without trusting your local CPU with the parsing logic. It’s basically "air-gapping" your browser tab. Not perfect, as attackers could still add a third step to compromise your remote and flow back to your local, but isolation like this adds defense in depth that then needs to compromise a much narrower attack surface (the local-remote tunnel) than if you ran it locally.

Isn't this a wrongly editorialized title - "Reported by Shaheen Fazim on 2026-02-11" so more like 7-day.
Maybe Chromium should also rewrite their rendering engine in Rust ;p
This doesn't affect the many browsers based on Chromium?
I'd love to see what the PoC code looks like, of course after the patch has been rolled out for a few weeks.
use after free.... ahh the irony
this is insane! what other zero days are out there and being used

also this seems chromium only so it doesnt impact firefox ?

Yeah, Firefox uses a different CSS engine that doesn't automatically have this same use-after-free.
I don't quite understand the vulnerability, when exploited, you can get information about the page from which the exploit code is running. Without a sandbox escape or XSS, that seems almost completely harmless?

This is the "impact" section on https://github.com/huseyinstif/CVE-2026-2441-PoC:

Arbitrary code execution within the renderer process sandbox Information disclosure — leak V8 heap pointers (ASLR bypass), read renderer memory contents Credential theft — read document.cookie, localStorage, sessionStorage, form input values Session hijacking — steal session tokens, exfiltrate via fetch() / WebSocket / sendBeacon() DOM manipulation — inject phishing forms, modify page content Keylogging — capture all keystrokes via addEventListener('keydown')

I wonder how many bugs like this are lurking in the various dark corners of the Chromium/Blink codebase that nobody has taken a good, hard look at in a long time.

Given the staggering importance of the projects they should really have a full-time, well-staffed, well-funded, dedicated team combing through every line, hunting these things down, and fixing them before they have a chance to be used. It'd be a better use of resources than smart fridge integration or whatever other bells and whistles Google has most recently decided to tack onto Chrome.

I always wonder how many zero-days exist on purpose…
"Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL."

Interesting they are listing archived projects and not OSS-Fuzz. What's the reason for this?

(comment deleted)
When I try to look up the CVE/issue I get,

https://issues.chromium.org/issues/483569511 - [TBD][483569511] High CVE-2026-2441: Use after free in CSS. Reported by Shaheen Fazim on 2026-02-11

> Access is denied to this issue. Access to this issue may be resolved by signing in.

"Which reinforces the idea that this was optimized for porn" and I am almost hack online casino and hot photos from pussey or BOOBS... and put...