On February 17, 2026, CISA added CVE-2026-2441 — a critical use-after-free in Google Chrome’s CSS component — to the Known Exploited Vulnerabilities (KEV) catalog. This marks the first confirmed Chrome zero-day actively used in attacks this year, enabling remote code execution via crafted HTML pages.
Chrome zero-days in the wild are not rare. They follow a clear pattern.
Chrome’s First KEV by Year
(This table highlights the date when the first Chrome vulnerability was added to the KEV catalog each year, showing the recurring early-year threat pattern.)
| Year | Date Added | CVE ID |
| 2021 | November 3 | Multiple |
| 2022 | January 10 | CVE-2020-6572 |
| 2023 | April 17 | CVE-2023-2033 |
| 2024 | January 2 | CVE-2023-7024 |
| 2025 | March 27 | CVE-2025-2783 |
| 2026 | February 17 | CVE-2026-2441 |
While the first of each year stands out, Chrome has far more exploited vulnerabilities overall.
AppGuard Controls Mitigation for All Chrome KEVs (2021–2026)
(This table summarizes how AppGuard’s three controls mitigate post-exploit actions across every Chrome KEV in the period.)
| Year | Number of KEVs | Launch | Contain | Isolate |
| 2021 | 18 | Yes | Yes | Yes |
| 2022 | 13 | Yes | Yes | Yes |
| 2023 | 6 | Yes | Yes | Yes |
| 2024 | 4 | Yes | Yes | Yes |
| 2025 | 7 | Yes | Yes | Yes |
| 2026 | 1 | Yes | Yes | Yes |
- Launch: Restricts executions from high-risk user-space folders.
- Contain: Limits the entire Chrome process tree, including default-deny of unauthorized child processes (with full inheritance to any spawned children).
- Isolate: Protects registry keys, files, memory, and credential stores from unauthorized access or modification.
By enforcing these controls, AppGuard also significantly reduces the overall attack surface, slashing the potential harm from this never-ending stream of Chrome vulnerabilities.
The Top 20 Most Common Post-Exploit Actions After Browser RCE That AppGuard Controls Stop
(Mandiant’s M-Trends 2025 and MITRE ATT&CK data show these are the actions attackers take immediately after gaining code execution inside Chrome.)
| Rank | Post-Exploit Action (Human Terms) | MITRE ATT&CK | Primary Actor Process | AppGuard Control(s) |
| 1 | Launches PowerShell or cmd.exe as child | T1059.001 | chrome.exe spawns child | Chrome process tree containment blocks malicious actions |
| 2 | Writes to registry Run key for persistence | T1547.001 | chrome.exe or child | Chrome process tree containment blocks malicious actions; Isolation of objects blocks malicious actions |
| 3 | Launches child for reconnaissance commands | T1059.001 | chrome.exe spawns child | Chrome process tree containment blocks malicious actions |
| 4 | Drops executable to %TEMP% or Downloads then launches it | T1105 | chrome.exe | Launches from High-risk folders blocked; Chrome process tree containment blocks malicious actions |
| 5 | Spawns wscript/cscript for malicious script | T1059.007 | chrome.exe spawns child | Chrome process tree containment blocks malicious actions |
| 6 | Loads malicious DLL via side-loading | T1574.002 | chrome.exe | Launches from High-risk folders blocked |
| 7 | Dumps LSASS memory for credentials | T1003.001 | chrome.exe or child | Isolation of objects blocks malicious actions |
| 8 | Uses COM objects to access files or registry | T1559 | chrome.exe | Chrome process tree containment blocks malicious actions; Isolation of objects blocks malicious actions |
| 9 | Creates scheduled task for persistence | T1053.005 | chrome.exe or child | Chrome process tree containment blocks malicious actions; Isolation of objects blocks malicious actions |
| 10 | Attempts to read Chrome’s saved passwords or cookies | T1555.003 | chrome.exe | Isolation of objects blocks malicious actions |
| 11 | Writes malicious script to user-space then launches it | T1105 | chrome.exe | Launches from High-risk folders blocked; Chrome process tree containment blocks malicious actions |
| 12 | Uses rundll32 proxy execution | T1218 | chrome.exe spawns child | Chrome process tree containment blocks malicious actions |
| 13 | Creates new Windows service for persistence | T1543.003 | chrome.exe or child | Chrome process tree containment blocks malicious actions; Isolation of objects blocks malicious actions |
| 14 | Writes to Startup folder for persistence | T1547.001 | chrome.exe or child | Launches from High-risk folders blocked; Chrome process tree containment blocks malicious actions |
| 15 | Accesses protected files outside the sandbox | T1083 | chrome.exe | Isolation of objects blocks malicious actions |
| 16 | Uses PowerShell child for malicious commands | T1059.001 | chrome.exe spawns child | Chrome process tree containment blocks malicious actions |
| 17 | Modifies registry for privilege escalation | T1548 | chrome.exe or child | Chrome process tree containment blocks malicious actions; Isolation of objects blocks malicious actions |
| 18 | Performs fileless execution in memory | T1055 | chrome.exe | Chrome process tree containment blocks malicious actions |
| 19 | Uses regsvr32 to load malicious DLL | T1218 | chrome.exe spawns child | Chrome process tree containment blocks malicious actions |
| 20 | Attempts to inject code into system processes | T1055 | chrome.exe | Chrome process tree containment blocks malicious actions |
With memory-based attacks and process injection techniques on the rise, AppGuard’s Contain and Isolate controls are increasingly critical. They prevent compromised browsers from stealing credentials from memory or injecting code into other processes.
Like all first exploits in the wild of Chrome, AppGuard mitigates the risk, not by pattern-matching guessing like EDR/XDR but with controls-based endpoint protection that blocks malicious activities—before damage occurs.
Detection tools are necessary but not sufficient. Add AppGuard’s controls-based layer for practical, low-friction protection that complements what you already have.
Ready to stop what detection misses? Get more info now.