A critical vulnerability in Chromium's CSS engine has been patched with the release of Ungoogled Chromium 145.0.7632.75. This bug, known as CVE-2026-2441, allowed malicious pages to execute arbitrary code by corrupting memory through use-after-free attacks. The patch validates object lifetimes and adds sanity checks around style rule deletion, making it identical to the security update in regular Chrome releases. Users are advised to upgrade immediately, as exploiting this bug requires only a phishing link and a modern browser, and the fix is lightweight with no noticeable performance hit.

Ungoogled Chromium 145.0.7632.75 fixes critical CSS use‑after‑free bug – what you need to know

The newest Ungoogled Chromium 145.0.7632.75 patches CVE‑2026‑2441, a use‑after‑free vulnerability in the CSS engine that could let malicious pages execute arbitrary code. This article explains why the flaw matters, how the fix is applied, and whether you should upgrade right now.

• 
• 
• 

Why the CVE matters

The bug lives in the part of Chromium that parses style sheets. When a page forces the browser to free a CSS object while it’s still referenced, the next access can corrupt memory and potentially run attacker‑supplied shellcode. In practice, the issue shows up as sudden crashes on sites with complex animations—something many users have reported after installing a recent driver update that changed how GPU memory is handled.

How the patch changes Chromium

Ungoogled Chromium 145.0.7632.75 incorporates the upstream fix from vanilla Chromium: the CSS parser now validates object lifetimes before freeing them, and it adds extra sanity checks around style rule deletion. Because Ungoogled Chromium strips out Google services but otherwise mirrors the official build, the security update is identical to what you’d get in a regular Chrome release. The patch does not add any new flags or settings; it simply replaces the vulnerable binaries.

Downloading the package

You can find the source code on GitHub, and a pre-built Flatpak package is also available on Flathub.

Should you upgrade now?

Skipping this update is unwise. Exploiting a use‑after‑free in CSS requires only a malicious page and a modern browser, which means an attacker could lure a victim with a phishing link and gain code execution without any user interaction beyond loading the page. The fix is lightweight—no noticeable performance hit—and applying it eliminates the attack surface entirely.

Enabling privacy tweaks after the update

Most of Ungoogled Chromium’s privacy features stay disabled by default, so users often enable them manually after a fresh install. After upgrading to 145.0.7632.75, you can re‑activate the usual switches (for example, disabling background networking and turning off URL‑prediction) by adding the corresponding command‑line arguments to your shortcut or editing the master_preferences file. Doing this now ensures that the new build runs with the same hardened configuration you’re used to while still benefiting from the security patch.

If a system is already running an older Ungoogled Chromium version, the safest move is to replace the binaries with the 145.0.7632.75 package and restart the browser. A quick sanity check—opening a site known to stress CSS rendering (such as a heavy animation demo)—should no longer trigger crashes.