Zero-day CSS: CVE-2026-2441 exists in the wild

Posted by idoxer 8 hours ago

Zero-day CSS: CVE-2026-2441 exists in the wild(chromereleases.googleblog.com)

230 points | 117 commentspage 2

astrobe_ 7 hours ago|

This doesn't affect the many browsers based on Chromium?

gruez 6 hours ago||

It does, it's just that blog is for chrome so it doesn't mention other browsers.

thinkingemote 6 hours ago|||

"This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera"

iririririr 5 hours ago||

why on earth would you even assume somthing like this?

honestly curious. do you think "based on chrome" means they forked the engine and not just "applied some UI skin"?

jijji 5 hours ago||

use after free.... ahh the irony

kittbuilds 6 hours ago||

[dead]

idoxer 8 hours ago||

[dead]

fulafel 8 hours ago||

Isn't this a wrongly editorialized title - "Reported by Shaheen Fazim on 2026-02-11" so more like 7-day.

Aachen 7 hours ago|

It refers to your many days software is available for, with zero implying it is not yet out so you couldn't have installed a new version and that's what makes it a risky bug

The term has long watered-down to mean any vulnerability (since it was always a zero-day at some point before the patch release, I guess is those people's logic? idk). Fear inflation and shoehorning seems to happen to any type of scary/scarier/scariest attack term. Might be easiest not to put too much thought into media headlines containing 0day, hacker, crypto, AI, etc. Recently saw non-R RCEs and supply chain attacks not being about anyone's supply chain copied happily onto HN

Edit: fwiw, I'm not the downvoter

nickelpro 7 hours ago|||

It's original meaning was days since software release, without any security connotation attached. It came from the warez scene, where groups competed to crack software and make it available to the scene earlier and earlier. A week after general release, three days, same-day. The ultimate was 0-day software, software which was not yet available to the general public.

In a security context, it has come to mean days since a mitigation was released. Prior to disclosure or mitigation, all vulnerabilities are "0-day", which may be for weeks, months, or years.

It's not really an inflation of the term, just a shifting of context. "Days since software was released" -> "Days since a mitigation for a given vulnerability was released".

fulafel 4 hours ago||

Wikipedia: A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it

This seems logical since by etymology of zeroday it should apply to the release (=disclosure) of a vuln.

bawolff 6 hours ago|||

I think the implication in this specific context is that malicious people were exploiting the vuln in the wild prior to the fix being released

baq 8 hours ago|

I wonder if this was found with LLM assistance, if yes, with which one and is it a one-off or does it mark a start of a new era (I assume it does).

paavohtl 7 hours ago|

Absolutely nothing in the announcement or other publicly available source implies that, to my knowledge. Might as well speculate if a random passer-by on the street is secretly a martian.