New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released
Google on Friday released security updates for its Chrome browser to address a security flaw that it said has been exploited in the wild.
The high-severity vulnerability, tracked as CVE-2026-2441 (CVSS score: 8.8), has been described as a use-after-free bug in CSS. Security researcher Shaheen Fazim has been credited with discovering and reporting the shortcoming on February 11, 2026.
“Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD).
Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that “an exploit for CVE-2026-2441 exists in the wild.”
Source: The hacker news / Bleeping computer / Securityweek / Chrome releases blog
Link: https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html
Link: https://www.securityweek.com/google-patches-first-actively-exploited-chrome-zero-day-of-2026/
Link: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html
Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Other Devices
Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.
The vulnerability, tracked as CVE-2026-20700 (CVSS score: 7.8), has been described as a memory corruption issue in dyld, Apple’s Dynamic Link Editor. Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices. Google Threat Analysis Group (TAG) has been credited with discovering and reporting the bug.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” the company said in an advisory. “CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.”
It’s worth noting that both CVE-2025-14174 and CVE-2025-43529 were addressed by Cupertino in December 2025, with the former first disclosed by Google as having been exploited in the wild. CVE-2025-14174 (CVSS score: 8.8) relates to an out-of-bounds memory access in ANGLE’s Metal renderer component. Metal is a high-performance hardware-accelerated graphics and compute API developed by Apple.
Source: The hacker news / Bleeping computer / Securityweek / SANS internet storm center
Link: https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html
Link: https://www.securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/
Link: https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20February%202026/32706%E2%80%A8
Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days
Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild.
Of the 59 flaws, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity. Twenty-five of the patched vulnerabilities have been classified as privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).
It’s worth noting that the patches are in addition to three security flaws that Microsoft has addressed in its Edge browser since the release of the January 2026 Patch Tuesday update, including a Moderate vulnerability impacting the Edge browser for Android (CVE-2026-0391, CVSS score: 6.5) that could allow an unauthorized attacker to perform spoofing over a network by taking advantage of a “user interface misrepresentation of critical information.”
Topping the list of this month’s updates are six vulnerabilities that have been flagged as actively exploited –
- CVE-2026-21510 (CVSS score: 8.8) – A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-21513 (CVSS score: 8.8) – A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-21514 (CVSS score: 7.8) – A reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-21519 (CVSS score: 7.8) – An access of resource using incompatible type (‘type confusion’) in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally.
- CVE-2026-21525 (CVSS score: 6.2) – A null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.
- CVE-2026-21533 (CVSS score: 7.8) – An improper privilege management in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.
Microsoft’s own security teams and Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting the first three flaws, which have been listed as publicly known at the time of release. There are currently no details on how the vulnerabilities are being exploited, and if they were weaponized as part of the same campaign.
Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / CISCO Talos intelligence group / Dark reading / SANS internet storm center
Link: https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html
Link: https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-february-2026/
Link: https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days
Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20February%202026/32700
Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution
Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.
The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.
“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests,” Fortinet said in an advisory.
The shortcoming affects the following versions –
- FortiClientEMS 7.2 (Not affected)
- FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
- FortiClientEMS 8.0 (Not affected)
Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw.
Source: The hacker news / Securityweek / Fortinet PSIRT blog
Link: https://thehackernews.com/2026/02/fortinet-patches-critical-sqli-flaw.html
Link: https://www.securityweek.com/fortinet-patches-high-severity-vulnerabilities/
Link: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
Microsoft Warns of ClickFix Attack Abusing DNS Lookups
Microsoft has warned users that threat actors are leveraging a new variant of the ClickFix technique to deliver malware. The ClickFix attack method has been increasingly used in the past year by both cybercriminals and state-sponsored threat groups.
The attack involves attackers displaying a fake error message on a compromised or malicious site. The message instructs the target to address the issue by pressing specific keys, then performing additional steps (eg, running a command). By following the attacker’s instructions, the user unknowingly grants elevated permissions, downloads malware, or executes attacker-supplied scripts.
In a recent ClickFix attack observed by Microsoft the attacker asked targets to run a command that executes a custom DNS lookoup.
Source: Securityweek
Link: https://www.securityweek.com/microsoft-warns-of-clickfix-attack-abusing-dns-lookups/
From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
Analysis of the Evelyn Stealer campaign targeting software developers shows that threat actors are weaponizing the Visual Studio Code (VSC) extension ecosystem to deploy a multistage, information-stealing malware. The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems.
This activity affects organizations with software development teams that rely on VSC and third-party extensions as well as those with access to production systems, cloud resources, or digital assets.
Source: Trendmicro blog
Link: https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html
Security Governance & Leadership
Security programs shouldn’t be tied to a specific tool or control. They need someone to own the risk. Firewalls expire, policies gather dust, controls erode, not because of maliciousness or incompetence, but because governance was either not firmly established, or because it lost accountability.
Source: Secjuice
Link: https://www.secjuice.com/security-governance-leadership/