| ▲ | Zero-day CSS: CVE-2026-2441 exists in the wild(chromereleases.googleblog.com) |
| 127 points by idoxer 2 hours ago | 52 comments |
| |
|
| ▲ | mpeg an hour ago | parent | next [-] |
| "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera." That's pretty bad! I wonder what kind of bounty went to the researcher. |
| |
| ▲ | duozerk an hour ago | parent | next [-] | | > That's pretty bad! I wonder what kind of bounty went to the researcher. I'd be surprised if it's above 20K$. Bug bounties rewards are usually criminally low; doubly so when you consider the efforts usually involved in not only finding serious vulns, but demonstrating a reliable way to exploit them. | | |
| ▲ | wepple 9 minutes ago | parent | next [-] | | > but demonstrating a reliable way to exploit them Is this a requirement for most bug bounty programs? Particularly the “reliable” bit? | |
| ▲ | naeioi an hour ago | parent | prev | next [-] | | The bounty could be very high. Last year one bug’s reporter was rewarded $250k. https://news.ycombinator.com/item?id=44861106 | | |
| ▲ | duozerk 37 minutes ago | parent [-] | | Maybe google is an exception (but then again, maybe that payout was part marketing to draw more researchers). |
| |
| ▲ | salviati an hour ago | parent | prev [-] | | I think a big part of "criminally low" is that you'll make much more money selling it on the black market than getting the bounty. | | |
| ▲ | duozerk 44 minutes ago | parent | next [-] | | I read this often, and I guess it could be true, but those kinds of transaction would presumably go through DNM / forums like BF and the like. Which means crypto, and full anonymity. So either the buyer trusts the seller to deliver, or the seller trusts the buyer to pay. And once you reveal the particulars of a flaw, nothing prevents the buyer from running away (this actually also occurs regularly on legal, genuine bug bounty programs - they'll patch the problem discreetly after reading the report but never follow up, never mind paying; with little recourse for the researcher). Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying. And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house. The way this trust issue is (mostly) solved in drugs DNM is through the platform itself acting as a escrow agent; but I suspect such a thing would not work as well with selling vulnerabilities, because the volume is much lower, for one thing (preventing a high enough volume for reputation building); the financial amounts generally higher, for another. The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group. | | |
| ▲ | moring 19 minutes ago | parent [-] | | > Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying. Is conning a seller really worth it for a potential buyer? Details will help an expert find the flaw, but it still takes lots of work, and there is the risk of not finding it (and the seller will be careful next time). > And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house. They also have the money to just buy an exploit. > The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group. I'd imagine the skills needed to get paid from ransomware victims without getting caught to be very different from the skills needed to find a vulnerability. |
| |
| ▲ | consumer451 44 minutes ago | parent | prev [-] | | I am far from the halls of corporate decision making, but I really don't understand why bug bounties at trillion dollar companies are so low. | | |
| ▲ | arcfour 33 minutes ago | parent [-] | | Because it's nice to get $10k legally + public credit than it is to get $100k while risking arrest + prison time, getting scammed, or selling your exploit to someone that uses it to ransom a children's hospital? | | |
| ▲ | kspacewalk2 9 minutes ago | parent [-] | | Is it in fact illegal to sell a zero day exploit of an open source application or library to whoever I want? |
|
|
|
| |
| ▲ | bicepjai an hour ago | parent | prev | next [-] | | So basically Firefox is not affected ? | | |
| ▲ | hdgvhicv 35 minutes ago | parent | next [-] | | The listed browsers are basically skins on top of the same chromium base. It’s why Firefox and Safari as so important despite HN’a wish they’d go away. | | |
| ▲ | wvbdmp 8 minutes ago | parent [-] | | Particularly weird impulse for technically inclined people… Although I must admit to the guilty pleasure of gleefully using Chromium-only features in internal apps where users are guaranteed to run Edge. |
| |
| ▲ | zozbot234 30 minutes ago | parent | prev | next [-] | | Firefox is safe from this because their CSS handling was the first thing they rewrote in Rust. | |
| ▲ | jsheard an hour ago | parent | prev | next [-] | | Firefox and Safari are fine in this case, yeah. | |
| ▲ | DetroitThrow an hour ago | parent | prev [-] | | It's pretty hard to have an accidental a use after free in the FireFox CSS engine because it is mostly safe Rust. It's possible, but very unlikely. | | |
| ▲ | topspin 36 minutes ago | parent | next [-] | | That came to my mind as well. CSS was one of the earliest major applications of Rust in FireFox. I believe that work was when the "Fearless Concurrency" slogan was popularized. | |
| ▲ | moritzwarhier 28 minutes ago | parent | prev [-] | | Firefox and Safari developers dared the Chromium team to implement :has() and Houdini and this is the result! /s |
|
| |
| ▲ | pjmlp an hour ago | parent | prev | next [-] | | Yeah, but lets keeping downplaying use-after-free as something not worth eliminating in 21st century systems languages. | | |
| ▲ | pheggs an hour ago | parent [-] | | I love rust but honestly I am more scared about supply chain attacks through cargo than memory corruption bugs. The reason being that supply chain attacks are probably way cheaper to pull off than finding these bugs | | |
| ▲ | cogman10 41 minutes ago | parent | next [-] | | If you can bring in 3rd party libraries, you can be hit with a supply chain attack. C and C++ aren't immune, it's just harder to pull off due to dependency management being more complex (meaning you'll work with less dependencies naturally). | |
| ▲ | kibwen an hour ago | parent | prev | next [-] | | But this is irrelevant. If you're afraid of third-party code, you can just... choose not to use third-party code? Meanwhile, if I'm afraid of memory corruption in C, I cannot just choose not to have memory corruption; I must instead simply choose not to use C. Meanwhile, Chromium uses tons of third-party Rust code, and has thereby judged the risk differently. | | |
| ▲ | JoeAltmaier an hour ago | parent [-] | | Maybe it's more complicated than that? With allocate/delete discipline, C can be fairly safe memory-wise (written a million lines of code in C). But automated package managers etc can bring in code under the covers, and you end up with something you didn't ask for. By that point of view, we reverse the conclusion. |
| |
| ▲ | staticassertion an hour ago | parent | prev [-] | | Google already uses `cargo-vet` for rust dependencies. | | |
| ▲ | pheggs an hour ago | parent [-] | | thats good, but it wont eliminate the risk | | |
| ▲ | staticassertion an hour ago | parent [-] | | Nothing eliminates the risk but it is basically a best-in-class solution. If your primary concern is supply chain risk, there you go, best in class defense against it. If anything, what are you doing about supply chain for the existing code base? How is cargo worse here when cargo-vet exists and is actively maintained by Google, Mozilla, and others? |
|
|
|
| |
| ▲ | waynesonfire an hour ago | parent | prev [-] | | "Actually, you forgot Brave." | | |
| ▲ | mpeg an hour ago | parent [-] | | I quoted directly from NIST, there's many other browsers and non-browsers that use chromium | | |
| ▲ | waynesonfire an hour ago | parent [-] | | It was intended as a joke reference to the 2004 Kerry / Bush debate. It's not a coincidence that Google would leave off an ad-blocking variant of Chrome. | | |
| ▲ | pear01 13 minutes ago | parent | next [-] | | did you also take poland being omitted to be some sort of conspiracy? seems you missed the point of why that "Actually, you forgot..." moment became such a punchline. Like it or not Brave is a very niche browser with rather insignificant market share why you would expect them to be mentioned in the first place is entirely lost on me. there are dozens of chromium forks also with under 1% market share, should we be forced to mention them all? | |
| ▲ | order-matters 38 minutes ago | parent | prev [-] | | they listed the top 3 most popular chromium browsers, covering 90%+ of chromium users | | |
|
|
|
|
|
| ▲ | tripplyons an hour ago | parent | prev | next [-] |
| "Use after free in CSS" is a funny description to see. |
| |
| ▲ | maxloh 42 minutes ago | parent | next [-] | | I think they meant something like the CSS parser, or the CSS Object Model (CSSOM). | |
| ▲ | w4yai an hour ago | parent | prev [-] | | Why ? | | |
| ▲ | 8-prime an hour ago | parent [-] | | To me at least it reads funny because when I think of CSS I think of the language itself and not the accompanying tools that are then running the CSS. Saying "Markdown has a CVE" would sound equally off.
I'm aware that its not actually CSS having the vulnerability but when simplified that's what it sounds like. |
|
|
|
| ▲ | himata4113 an hour ago | parent | prev | next [-] |
| The fact that these still show up is pretty wild to me. Don't we have a bunch of tools that should create memory-safish binaries by applying the same validation checks that memory-safe languages get for free purely from their design? I get that css has changed a lot over the years with variables, scopes and adopting things from less/sass/coffee, but people use no-script for the reason because javascript is risky, but what if css can be just as risky... time to also have no-style? Honestly, pretty excited for the full report since it's either stupid as hell or a multi-step attack chain. |
| |
| ▲ | staticassertion an hour ago | parent [-] | | > Don't we have a bunch of tools that should create memory-safish binaries by applying the same validation checks that memory-safe languages get for free purely from their design? No, we don't. All of the ones we have are heavily leveraged in Chromium or were outright developed at Google for similar projects. 10s of billions are spent to try to get Chromium to not have these vulnerabilities, using those tools. And here we are. I'll elaborate a bit. Things like sanitizers largely rely on test coverage. Google spends a lot of money on things like fuzzing, but coverage is still a critical requirement. For a massive codebase, gettign proper coverage is obviously really tricky. We'll have to learn more about this vulnerability but you can see how even just that limitation alone is sufficient to explain gaps. |
|
|
| ▲ | ripbozo 30 minutes ago | parent | prev | next [-] |
| I'd love to see what the PoC code looks like, of course after the patch has been rolled out for a few weeks. |
| |
|
| ▲ | astrobe_ 37 minutes ago | parent | prev | next [-] |
| This doesn't affect the many browsers based on Chromium? |
| |
| ▲ | gruez 3 minutes ago | parent | next [-] | | It does, it's just that blog is for chrome so it doesn't mention other browsers. | |
| ▲ | thinkingemote 7 minutes ago | parent | prev [-] | | "This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera" |
|
|
| ▲ | bitbasher an hour ago | parent | prev | next [-] |
| Maybe Chromium should also rewrite their rendering engine in Rust ;p |
|
| ▲ | MallocVoidstar an hour ago | parent | prev | next [-] |
| Devtools is seemingly partially broken in this version, if I have devtools open on a reasonably dynamic web app Chrome will crash within a minute or two |
| |
| ▲ | aapoalas 28 minutes ago | parent [-] | | It's also been ridiculously slow for a month or two now :/ not a good time to be working on some relatively intricate performance optimisation with DevTools taking 1-4 seconds to even start the performance recording. |
|
|
| ▲ | baq an hour ago | parent | prev | next [-] |
| I wonder if this was found with LLM assistance, if yes, with which one and is it a one-off or does it mark a start of a new era (I assume it does). |
| |
| ▲ | paavohtl 38 minutes ago | parent [-] | | Absolutely nothing in the announcement or other publicly available source implies that, to my knowledge. Might as well speculate if a random passer-by on the street is secretly a martian. |
|
|
| ▲ | fulafel an hour ago | parent | prev [-] |
| Isn't this a wrongly editorialized title - "Reported by Shaheen Fazim on 2026-02-11" so more like 7-day. |
| |
| ▲ | Aachen an hour ago | parent [-] | | It refers to your many days software is available for, with zero implying it is not yet out so you couldn't have installed a new version and that's what makes it a risky bug The term has long watered-down to mean any vulnerability (since it was always a zero-day at some point before the patch release, I guess is those people's logic? idk). Fear inflation and shoehorning seems to happen to any type of scary/scarier/scariest attack term. Might be easiest not to put too much thought into media headlines containing 0day, hacker, crypto, AI, etc. Recently saw non-R RCEs and supply chain attacks not being about anyone's supply chain copied happily onto HN Edit: fwiw, I'm not the downvoter | | |
| ▲ | nickelpro 36 minutes ago | parent [-] | | It's original meaning was days since software release, without any security connotation attached. It came from the warez scene, where groups competed to crack software and make it available to the scene earlier and earlier. A week after general release, three days, same-day. The ultimate was 0-day software, software which was not yet available to the general public. In a security context, it has come to mean days since a mitigation was released. Prior to disclosure or mitigation, all vulnerabilities are "0-day", which may be for weeks, months, or years. It's not really an inflation of the term, just a shifting of context. "Days since software was released" -> "Days since a mitigation for a given vulnerability was released". |
|
|
