Google has released an emergency Chrome update addressing CVE-2026-5281, a use-after-free vulnerability in Dawn β Chromeβs open-source cross-platform WebGPU implementation β that has been exploited in the wild. This is the fourth Chrome zero-day to be actively weaponised in 2026, continuing an accelerating pattern of browser exploitation that security teams cannot afford to treat as routine.
The Vulnerability
CVE-2026-5281 is a use-after-free flaw in Dawn, the component responsible for Chromeβs WebGPU API. Use-after-free vulnerabilities occur when a programme continues to use memory after it has been freed, allowing an attacker to corrupt heap memory and achieve arbitrary code execution in the context of the renderer process. WebGPU, designed to expose GPU capabilities to web applications, is a complex, high-performance API with a large attack surface β the kind of code that frequently contains memory safety issues.
Googleβs advisory acknowledges that an exploit for CVE-2026-5281 exists in the wild, though attribution and specific attack vectors have not been publicly disclosed. The full release addressed 21 vulnerabilities in total.
The 2026 Chrome Zero-Day Tracker
This is now the fourth actively exploited Chrome zero-day of the year:
- January 2026 β No exploited zero-day published
- February 2026 β CVE-2026-2441: Use-after-free in CSS
- March 2026 β CVE-2026-3909 (CVSS 8.8): Out-of-bounds write in Skia 2D graphics
- March 2026 β CVE-2026-3910 (CVSS 8.8): Flaw in V8 JavaScript/WebAssembly engine
- April 2026 β CVE-2026-5281: Use-after-free in Dawn/WebGPU (this disclosure)
The pace β four exploited zero-days in the first quarter of the year β reflects sustained adversary investment in browser exploitation, whether for intelligence collection, initial access, or watering-hole attack campaigns.
CISA KEV Deadline
CISA added CVE-2026-5281 to the Known Exploited Vulnerabilities catalogue on 1 April 2026, setting 15 April 2026 as the remediation deadline for Federal Civilian Executive Branch agencies. That deadline falls today, meaning federal environments that have not yet updated are now overdue.
Fixed Versions
Google has patched the vulnerability in:
- Chrome 146.0.7680.177/178 for Windows and macOS
- Chrome 146.0.7680.177 for Linux
Users on the Stable channel should receive the update automatically. Enterprise environments using Chrome through managed policies should verify auto-update is enabled and confirm the deployed version matches the patched release.
Recommended Actions
- Verify Chrome is updated to 146.0.7680.177 or later across all managed endpoints. Navigate to
chrome://version/or use your endpoint management tool to confirm. - Enable Chrome auto-update in enterprise policy if it has been disabled β manual patching processes create unacceptable lag windows when zero-days are in active exploitation.
- Consider Chromium-based browser estate scope: Microsoft Edge and other Chromium-based browsers share WebGPU rendering components. Check for vendor patches for those products as well.
- Review web proxy and DNS logs for indicators of drive-by download campaigns or watering-hole infrastructure targeting browsers with unpatched Dawn vulnerabilities.
- For high-risk users (executives, finance teams, legal), enforce browser updates as a P1 patching item and consider temporarily restricting access to WebGPU-intensive sites if the business context permits.
The frequency of Chrome zero-days in 2026 argues for treating browser patching as infrastructure patching rather than endpoint hygiene β the same urgency that would apply to a network appliance vulnerability should apply here.