MultiApp-CVE-2026-2441

Lookout Coverage and Recommendation for Admins

Lookout is scheduled to release security coverage for MultiApp-CVE-2026-2441 starting with Google Chrome (Android) on March 4, 2026. This will be followed by expanded support for Microsoft Edge (Android) during the week of March 9, 2026. Once these updates are live, the platform will automatically generate alerts and trigger workflows based on each administrator's predefined risk, response, and escalation configurations.

To ensure your devices are protected, Lookout admins should take the following actions in their Lookout console:

Enable the Application Vulnerability policy, which detects when a vulnerable app version is installed on the device.
Update devices with vulnerable browser versions of Google Chrome Android below 145.0.7632.109 and Microsoft Edge (Android) below 145.0.3800.85.
Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities.

Overview

Google has disclosed a high-severity vulnerability, CVE-2026-2441, affecting the Chromium project. This is a use-after-free (UAF) vulnerability specifically within the CSS engine of Google Chrome, specifically involving the CSSFontFeatureValuesMap. An attacker can exploit this flaw via a specially crafted HTML page to cause heap corruption. This could potentially lead to unauthorized code execution inside a browser sandbox. CVE-2026-2441 has been patched in Google Chrome (Android): 145.0.7632.109 and above, and Microsoft Edge (Android): 145.0.3800.85 and above.

United States government organizations following CISA frameworks should have all vulnerable devices patched by March 10, 2026. While this mandate applies to federal agencies, enterprise organizations are strongly advised to follow the same timeline.

Lookout Analysis

The exploit poses a maximum risk to Confidentiality, Integrity, and Availability. Successful exploitation allows unauthorized access to sensitive data—such as saved passwords and session cookies—while enabling attackers to inject malicious scripts into other websites or trigger persistent application crashes on mobile devices.

The exploitation of CVE-2026-2441 typically follows these five steps:

Exploitation Lifecycle:

Luring: The user is directed to a malicious website containing crafted CSS/HTML.
Freeing: A logic error in the CSS engine "frees" a memory block while a pointer is still active.
Grooming: The attacker "sprays" the heap to fill the vacated slot with a malicious "fake" object.
Redirecting: The browser attempts to use the original pointer, unknowingly executing instructions from the fake object.
Executing: The attacker achieves Remote Code Execution (RCE), leading to data exfiltration or further system compromise.