CVE-2026-2441

CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation

Initial Access Execution Defense Evasion Last updated:

Detects exploitation of CVE-2026-2441, a use-after-free vulnerability in the CSS engine of Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow remote code execution via a malicious web page. Detection focuses on abnormal Chromium renderer process behavior, suspicious child process spawning, and memory corruption indicators consistent with UAF exploitation.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Google
Product
Chromium

Weakness (CWE)

CWE-416

Timeline

Disclosed
February 17, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-2441 CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation?

CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation (CVE-2026-2441) maps to the Initial Access and Execution and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion
Microsoft Sentinel / Defender
kusto 
let suspiciousChildProcs = dynamic(['cmd.exe','powershell.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe','regsvr32.exe','schtasks.exe','certutil.exe','bitsadmin.exe']);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ 'chrome.exe' or InitiatingProcessFileName =~ 'chromium.exe'
| where InitiatingProcessCommandLine has '--type=renderer'
| where FileName in~ (suspiciousChildProcs)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessId, ProcessId
| extend AlertReason = 'Chromium renderer spawned suspicious child process - potential CVE-2026-2441 exploitation'

Detects Chromium renderer processes spawning suspicious child processes, which is a strong indicator of successful use-after-free exploitation leading to code execution. Renderer processes should never directly spawn shells or LOLBins.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate browser extensions that spawn helper processes with unusual names
  • Enterprise security tools hooking into Chrome renderer processes
  • Developer builds of Chromium with non-standard flags or debugging tools attached

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation (CVE-2026-2441) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-2441 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-2441

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Chromium Renderer Spawning cmd.exe

    Expected signal: Sysmon Event ID 1 showing chrome.exe (with --type=renderer in command line) as ParentImage for cmd.exe process creation. DeviceProcessEvents in MDE will show the renderer→cmd.exe lineage.

  2. Test 2Chromium Renderer Spawning PowerShell with Network Callback

    Expected signal: Sysmon Event ID 1 (process create: powershell under chrome renderer), Sysmon Event ID 3 (network connection from powershell to 127.0.0.1:8080). Elastic EQL sequence rule should correlate both events.

  3. Test 3Validate Unpatched Chrome Version Detection via Asset Inventory

    Expected signal: Registry query results showing Chrome version strings per host. CrowdStrike RTR or MDE LiveResponse will log the query execution.

  4. Test 4CSS Object Lifecycle Stress Test for UAF Trigger Research

    Expected signal: On a vulnerable build: renderer process crashes (SIGSEGV or similar) visible in /var/log/syslog or Chromium crash reports under ~/.config/chromium/Crash Reports/. On a patched build: no crash, normal page operation.

Unlock Pro Content

Get the full detection package for CVE-2026-2441 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1189Drive-by CompromiseT1055Process Injection

Same Tactic: Initial Access

Popular Detections