they hacked CSS

finally happened. It finally happened. They hacked the CSS. The CSS has been compromised. All hope has lost it. Being kind of, you know, hyperbolic here, but new Chrome Zero Day CVE 2026 2441 is under active attack. And Chrome actually put out their first patch for their first zero day of the year where attackers are exploiting CSS. That part actually isn't hyperbole. The bug is a use after free in the way that Chrome handles CSS. I'll go into what all that means here in a minute. If you're new here, my name is Ed. I make videos about hacking and it's a good times. Hit sub. appreciate it. Uh yeah, so CVE 2026 2441 found by this gentleman here whose name I'm not going to pronounce. I'm going to mess it up. Uh CVS score of 8.8 a use after freebug in the way that Chrome parses and handles CSS allowing a remote attacker to execute arbitrary code inside of the sandbox via a crafted HTML page. And while not a lot of details are out about this intentionally, Google does actively acknowledge that an exploit for this exists in the wild. So that means that maybe their threat analysis team or their telemetry has caught this exploit being thrown in the wild. Very interesting stuff here. How can one hack CSS, right? How how is that entirely possible? Well, let's go into this, right? It's important to understand that Google Chrome like any other piece of software is just software and the code underneath it that parses CSS that parses JavaScript is written in most of the time a memory unsafe language like C or C++. And guys, while we can't stop bugs like this from happening, one thing we can do is stay ahead of cyber actors with today's sponsor, Flare. Flare is a threat exposure management platform that allows you to see if you or your company's data has been sold on the dark web by cyber actors. One thing I like about Flare is they have a feed of events where you can go and search for interesting keywords that you're curious about that are happening on the dark web. One of them, obviously, is the recent Clawbot, OpenC Claw Malt Books thing. If you're not aware, OpenClaw, the very trendy AI agent thing, there's actually now a Facebook equivalent for those AIs to talk to each other called Moltbook. And if you're curious about how hackers are potentially using Moltbook to do like, you know, nefarious transactions, you can search Flare events for mentions of Moltbook. And people are actively talking about it in illicit Telegram channels and on places like breach forms right now. And as usual, guys, Flair's bread and butter is the identifiers. If you put in your identifiers into the Flare system, if any of your identifiers come up in conversations about Moltbook or otherwise in any of Flair's feeds, you will get an alert from Flare telling you exactly where it was found and what you can do to prevent more damage. Guys, the best way to help the channel out is to go interact with the sponsors. Go give Flare a shot. You can use Flare for free right now at the link below. Flare, thanks again for sponsoring the video. Back to the video. So the actual exact technical reason for the vulnerability is a use after free and the way that the browser parses these things here this font feature values for a particular font name right so I again I'm not I'm not a front-end guy okay I have a real job uh but what you can do here is specify for a certain font name maybe that you have different style sets where like you you can say the style for this version is this or the the boldness for this version is this you know you basically can add additional features to font fonts if you if you so choose. Okay. Now, in the actual code for this, there is a a feature called CSS font feature value maps. Okay. So, to go into this, we have to talk about what a use after free is, right? A use after free is exactly what it sounds like. You have a pointer to some structure in memory, right? And then you free it, but that pointer is still being used. What you're allowed to do is effectively confuse the type that it points to by pointing it to two different types at the same time. The classic example is you have strct cat and strct dogs. And there are two types that overlay each other. You have an int spot one and one and you have a pointer in spot one and the other. What can happen here is if a use after free occurs, it allows a pointer to point to both a controlled cat and a controlled dog. An attacker that can modify the ID can set the ID value to a particular pointer and then use that to modify parts of the program. Right? It gets very hairy very fast. And so a use after free occurs here because we have two global pointers, Randy and Frank. And I'm able to create a new dog whose name is Frank and create a new cat whose name is Randy. But all the while if I delete the dog or delete the cat, I free them but I don't delete the pointer. So when I do follow on operations like print dog for example, I can use after free the Frank pointer. Even though it's freed, it'll now contain information from Randy. And you can see this pretty quickly. We can take this example here, run it in GDB, we'll run it. So if I make new dog, delete the dog, make a new cat because I have a use after free primitive. What I can do is now print the dog anyway. And you'll see that I'm trying to dreference that long number the ID as a pointer which is crashing the program right now. Again, if this were an attacker controlled value, I could turn this primitive into an arbitrary read, leak memory out, or an arbitrary right. It gets very messy very fast. Now, what's cool about browser exploits is at the end of the day, you're actually exploiting the browser through a bug that manifests in JavaScript or CSS. And unlike a lot of Chrome bugs that I've seen, this one has a pock that you can actually test to see if your browser is currently vulnerable. Mine is not, so I can't actually run this, but I can show you what's generally happening here. So, again, remember use after free. We free something, but somewhere else in memory, it is still tracked and being used. Okay, so we have that font feature set for test font. We create this style set parameter. Again, I'm not a CSS guy. I don't know exactly what's happening here, but you see we have this function. Well, what we're able to do is look into the stylesheet and find the CSS rule zero. Then we can iterate over all of the rules in that map. Right? This is a just, you know, turn converting the CSS rules that are manifested here into a map you can iterate over in JavaScript. Okay, what they're doing is basically iterating over that map and they are deleting an entry in that map and setting it to something else, right? Which is really, really interesting. Now this looks all well and good but the problem is if you actually go to the source code in Chrome before this commit occurred they are using a reference to those values in the actual code that is doing the CSS font feature value map. Right? So they're iterating over this and iterating and pointing to a reference but underneath the hood the pointer that is pointing to the thing is not accounting for the fact that it may have been deleted in the meantime. So as you're iterating over it you could potentially delete it. kind of like a race condition going on here that enables a use after free. And so the solution to this problem is all they have to do is I think the short-term solution for Google is instead of doing a reference, they're doing a move, right? So they take this uh this font map that's manifesting here and instead of pointing a pointer to it when they iterate over it, they're going to make a copy of it and move the copy over into that map, which is really interesting. And again, I think they have a potential like to-do in the future that gives them a better solution for this. Like what is it? This addresses the immediate problem of iterating while modifying, right? So you know this is basically them saying hey instead of us having this thing where we point to a thing and the underlying map can go away let's just make a copy of it and then you know iterate over it that way and just in case you're new to this industry right this is not the first time we've had like zero days like this in browsers actually browser exploitation is like an active problem in cyber security like for example last year the tech giant being Google addressed eight zeroday flaws that were being exploited in the wild by thread actors meaning there is somebody out there who has a server ver that serves you malicious JavaScript or or CSS and is using that to pop browsers and there are entire teams at Google like their tag team their threat analysis group and project zero whose like whole life goal is to remove these kinds of vulnerabilities from the codebase. Super interesting stuff. Previous bugs existed in the almost native graphics layer engine angle which is like basically the almost hardware layer that Google uses to render data in the browser. Just like anything else, if you are parsing media formats, those media formats are going to be very complicated. and as a result going to have potential vulnerabilities that can arise in memory safe in memory unsafe languages. And the classic question from the class would rust have solved this problem. Actually, yeah, this is one of the uh common areas that rust is like very much designed to to solve, right? A use after free is one of the things that rust by design does not allow to happen. You know, there's a lot of talk about like if rust actually is or is not a good thing for memory safety or for software safety. You know, I wouldn't want to write all of the bin utils in Linux and Rust, for example, because there's no meaningful attack surface here. But browsers have the very unfortunate task of literally parsing arbitrary user data and most of the arbitrary user data is media data. So like very complicated parsing formats. So doing that in Rust is a much safer option than doing it in C++. That being said, that is actually like why the Mosilla team created Rust, right? They maintain Firefox and Firefox a lot of their components I think actually their CSS renderer is written in Rust, right? Which makes it very difficult to exploit from a memory safety standpoint. But but low level, what can I do? Okay, the answer is very simple. Just update your browser. Just go get the latest Chrome version, you know, and maybe there's latent zero days hiding in that Chrome version, too. But uh you know, if people are throwing zero days at you, maybe uh maybe you deserve it. I don't know. Anyway, thanks for watching. I appreciate it. We'll see you in the next one. Take care. Go.

Get a 14-day FREE trail of flare at https://go.lowlevel.tv/flare2026 . See if you or your company's data is floating around the dark web. 🏫 MY COURSES Sign-up for my FREE 3-Day C Course: https://lowlevel.academy 🧙‍♂️ HACK YOUR CAREER Wanna learn to hack? Join my new CTF platform: https://stacksmash.io ⌨️ KEYBOARD Like what you hear? Grab a Q5 at https://go.lowlevel.tv/keyboard 🔥COME HANG OUT Check out my other stuff: https://lowlevel.tv