Google has released an emergency security update for Chrome after confirming that a high-severity zero-day vulnerability, tracked as CVE-2026-5281, is being actively exploited in the wild. The flaw resides in Dawn, Chrome’s open-source implementation of the WebGPU standard, and can allow attackers who have already compromised the renderer process to execute arbitrary code via a specially crafted HTML page. This marks the fourth actively exploited Chrome zero-day patched in 2026 alone.
What is CVE-2026-5281?
CVE-2026-5281 is a use-after-free vulnerability in Dawn, the cross-platform WebGPU implementation bundled with Google Chrome. Use-after-free bugs occur when a program continues to reference memory after it has been freed, creating opportunities for attackers to corrupt memory and hijack execution flow. In this case, the flaw manifests within Chrome’s GPU processing pipeline, where improper memory management during WebGPU operations can trigger corruption that an attacker may leverage for code execution.
WebGPU is a relatively new web standard that gives browser-based applications low-level access to GPU hardware, enabling high-performance graphics and compute workloads. Its privileged access to hardware resources makes vulnerabilities in its implementation particularly dangerous, as successful exploitation could allow an attacker to break out of Chrome’s security sandbox.
Affected Versions and the Patch
The vulnerability affects Google Chrome versions prior to 146.0.7680.177 on Linux and prior to 146.0.7680.177/178 on Windows and macOS. Google bundled the fix for CVE-2026-5281 alongside patches for 20 other security issues in the same update cycle, released on April 1, 2026. Users can update Chrome by navigating to Menu → Help → About Google Chrome, where the browser will automatically download and install the latest version.
Enterprise administrators should prioritize pushing the update across all managed Chrome deployments as soon as possible, as the confirmed in-the-wild exploitation elevates this from a routine patch to an emergency remediation requirement.
CISA Adds CVE-2026-5281 to Known Exploited Vulnerabilities Catalog
Acting swiftly after Google’s disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog on April 1, 2026. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate KEV-listed vulnerabilities within set deadlines. CISA has established April 15, 2026 as the compliance deadline for this particular flaw.
While this directive applies specifically to federal agencies, CISA strongly encourages all organizations — regardless of sector — to treat the update as an urgent priority given the confirmed exploitation activity observed in the wild.
How the Exploit Works
Security researchers who analyzed CVE-2026-5281 describe the exploit chain as a two-stage process. First, the attacker must gain initial access to Chrome’s renderer process, typically by exploiting a separate vulnerability in JavaScript engine parsing or through malicious web content. Once renderer-level access is achieved, the attacker triggers the use-after-free condition in Dawn’s WebGPU layer by manipulating how GPU resources are allocated and freed. The resulting memory corruption enables the attacker to escalate privileges and potentially escape Chrome’s sandbox entirely, achieving code execution on the underlying operating system.
- Initial compromise of the renderer process via crafted web content
- Triggering the use-after-free condition in the Dawn WebGPU layer
- Memory corruption leading to sandbox escape and arbitrary code execution
This multi-stage nature means the vulnerability is most dangerous when chained with other browser exploits, a technique routinely employed by sophisticated threat actors in targeted attack campaigns.
The Broader Pattern of Chrome Zero-Days in 2026
CVE-2026-5281 is the fourth Chrome zero-day discovered and patched in 2026, continuing a multi-year trend of frequent browser-level exploitation. The emergence of WebGPU as a new and complex attack surface has attracted significant attention from both vulnerability researchers and malicious actors. As web applications push for increasingly hardware-accelerated performance, the browser’s expanded access to GPU resources introduces new risk vectors that security teams must account for in their threat models.
Recommended Actions
Organizations and individuals should take the following steps immediately:
- Update Chrome to version 146.0.7680.177 or later across all devices and platforms without delay.
- Audit enterprise Chrome deployments to ensure managed endpoints receive the update promptly via policy or MDM tooling.
- Enable automatic updates to minimize the window of exposure for future zero-day patches.
- Monitor endpoint detection logs for anomalous browser process behavior or unexpected GPU-related crashes that could indicate exploitation attempts.
- Federal agencies must comply with CISA’s April 15, 2026 remediation deadline under BOD 22-01.
With active exploitation already confirmed, any delay in patching represents unacceptable risk. Chrome users across all platforms should verify they are running the latest version today.