Update Chrome for Zero Day Vulnerability
This message is intended for U-M IT staff who are responsible for university computers running Google Chrome, and individuals with Chrome on devices they manage themselves (personal or UM-owned).
Summary
Update Google Chrome as soon as possible to protect against a high‑severity zero‑day memory bug that is being exploited in the wild.
Problem
A memory bug, tracked as CVE‑2026‑2441, has been determined to be a high-severity zero day vulnerability that is being exploited in the wild with the possibility of allowing threat actors remote code execution (RCE).
Threats
This vulnerability is being exploited in the wild.
Affected Versions
- Windows or Mac: Chrome versions before 145.0.7632.75/76
- Linux: Chrome versions before 145.0.7632.75
Action Items
Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Update Chrome to:
- Windows or Mac: version 145.0.7632.75/76 or later
- Linux: version 145.0.7632.75 or later
Technical Details
A memory bug, tracked as CVE‑2026‑2441, has been determined to be a high-severity zero day vulnerability that is being exploited in the wild. Threat actors can take advantage of how the browser handles certain font features due to a Use-After-Free (UAF) vulnerability that can lead to crashes or, in some cases, lets an attacker run their own code.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
Chrome on MiWorkspace machines is set up to auto update. We advise users to also set other U-M devices they manage, and their personal devices, to auto update Chrome. Automatic updates to Chrome normally happen in the background when you close and reopen Chrome, so we recommend all users take the following action as soon as possible on any device with Chrome installed:
- Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
- Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- CVE-2026-2441 (CVE.org, 2-13-2026)
- Update Chrome now: Zero-day bug allows code execution via malicious webpages (Malware Bytes, 2-17-2026)
- CVE-2026-2441 The Chrome CSS Zero-Day That Demands Proof, Not Promises (Penligent.ai, 2-18-2026)