Google has released an emergency out-of-band update for Chrome to patch CVE-2026-5281, a high-severity zero-day vulnerability that was already being exploited in the wild before the fix was published. This marks the fourth actively exploited Chrome zero-day patched in 2026 alone — a troubling milestone that underscores the persistent pressure on browser security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog, giving federal agencies until April 15, 2026 to apply the update.
Technical Details: Use-After-Free in WebGPU
CVE-2026-5281 is a use-after-free vulnerability in Dawn, Chrome’s open-source, cross-platform implementation of the WebGPU standard. Use-after-free bugs occur when a program continues to use a memory pointer after the referenced memory has been freed, potentially allowing an attacker to control what data is placed at that memory location.
In practice, successful exploitation allows a remote attacker who has already compromised the renderer process to escape the Chrome sandbox and execute arbitrary code on the underlying system via a specially crafted HTML page. Users don’t need to download anything — simply visiting a malicious website is sufficient to trigger the exploit.
In-the-Wild Exploitation Confirmed
Google confirmed that an exploit for CVE-2026-5281 existed and was being used in targeted attacks before the patch was made available. The company has deliberately withheld detailed technical information about the exploit and the threat actors involved, following standard practice of limiting disclosure to prevent broader exploitation while users update.
Security researchers at SOCRadar noted that the vulnerability’s location in the WebGPU stack — a relatively new and complex API — makes it an attractive target for sophisticated threat actors looking for less-scrutinized code paths in modern browsers.
A Pattern of Chrome Zero-Days in 2026
CVE-2026-5281 is the fourth Chrome zero-day patched under active exploitation in 2026, following three previous emergency patches earlier in the year. This pace — roughly one exploited zero-day per month — highlights both the attractiveness of Chrome as an attack vector and the sophistication of threat actors continuously probing browser security boundaries.
CISA Mandate: Patch by April 15
CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog on April 1, 2026, requiring all Federal Civilian Executive Branch (FCEB) agencies to apply the fix by April 15, 2026. While this mandate applies specifically to federal agencies, CISA strongly recommends that all organizations and individuals treat the deadline as a priority.
Who Is Affected and How to Update
The vulnerability affects Chrome on all major platforms. Users of other Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — are also advised to update as soon as their respective vendors release patched versions based on Chrome 146.
The fix is available in the following versions:
- Windows and macOS: Chrome 146.0.7680.177 / 146.0.7680.178
- Linux: Chrome 146.0.7680.177
To update Chrome immediately: click the three-dot menu → Help → About Google Chrome. Chrome will automatically check for and apply the update, then prompt you to relaunch. Do not delay — this is a confirmed in-the-wild exploit with no workaround short of updating.