Detect CVE-2026-2441: Google Chromium CSS Use-After-Free Exploitation in IBM QRadar
Detects exploitation of CVE-2026-2441, a use-after-free vulnerability in the CSS engine of Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow remote code execution via a malicious web page. Detection focuses on abnormal Chromium renderer process behavior, suspicious child process spawning, and memory corruption indicators consistent with UAF exploitation.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
"ParentImage",
"ParentCommandLine",
"Image" AS child_process,
"CommandLine" AS child_cmdline,
sourceip,
destinationip
FROM events
WHERE
LOWER("ParentImage") LIKE '%chrome.exe' OR LOWER("ParentImage") LIKE '%chromium%'
AND "ParentCommandLine" ILIKE '%--type=renderer%'
AND (
LOWER("Image") LIKE '%cmd.exe'
OR LOWER("Image") LIKE '%powershell.exe'
OR LOWER("Image") LIKE '%wscript.exe'
OR LOWER("Image") LIKE '%mshta.exe'
OR LOWER("Image") LIKE '%rundll32.exe'
OR LOWER("Image") LIKE '%regsvr32.exe'
OR LOWER("Image") LIKE '%certutil.exe'
)
AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
LAST 7 DAYSQRadar AQL query identifying Chromium renderer processes spawning potentially malicious child processes, consistent with browser exploit post-exploitation activity from CVE-2026-2441.
Data Sources
Required Tables
False Positives & Tuning
- Chrome Native Messaging hosts that appear as child processes of Chrome
- Enterprise endpoint management agents that inject into Chrome processes
- Browser-based development tools running in non-standard configurations
Other platforms for CVE-2026-2441
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Chromium Renderer Spawning cmd.exe
Expected signal: Sysmon Event ID 1 showing chrome.exe (with --type=renderer in command line) as ParentImage for cmd.exe process creation. DeviceProcessEvents in MDE will show the renderer→cmd.exe lineage.
- Test 2Chromium Renderer Spawning PowerShell with Network Callback
Expected signal: Sysmon Event ID 1 (process create: powershell under chrome renderer), Sysmon Event ID 3 (network connection from powershell to 127.0.0.1:8080). Elastic EQL sequence rule should correlate both events.
- Test 3Validate Unpatched Chrome Version Detection via Asset Inventory
Expected signal: Registry query results showing Chrome version strings per host. CrowdStrike RTR or MDE LiveResponse will log the query execution.
- Test 4CSS Object Lifecycle Stress Test for UAF Trigger Research
Expected signal: On a vulnerable build: renderer process crashes (SIGSEGV or similar) visible in /var/log/syslog or Chromium crash reports under ~/.config/chromium/Crash Reports/. On a patched build: no crash, normal page operation.
Unlock Pro Content
Get the full detection package for CVE-2026-2441 including response playbook, investigation guide, and atomic red team tests.