Google has released emergency security patches for its Chrome browser to address a high-severity zero-day vulnerability, tracked as CVE-2026-5281, that is currently being actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on April 1, 2026, setting a mandatory remediation deadline of April 15, 2026 for all federal agencies — making today the last day for compliance.
What Is CVE-2026-5281?
CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source WebGPU implementation used by Chrome. Use-after-free bugs occur when a program continues to use a memory reference after that memory has been freed, which can allow attackers to execute arbitrary code in the context of the affected application.
The vulnerability carries a high severity rating and has been confirmed as actively exploited. While Google has not disclosed full technical details to give users time to apply the patch, researchers note that WebGPU-related flaws are particularly attractive targets because they can often be triggered through malicious web pages without any additional user interaction beyond visiting the site.
Part of a Troubling Pattern in 2026
CVE-2026-5281 is the fourth actively weaponized Chrome zero-day patched by Google since the start of 2026. This pattern underscores the increasingly intense focus threat actors are placing on browser-level exploitation:
- Q1 2026 saw two separate zero-days in Chrome’s renderer process being weaponized in targeted espionage campaigns attributed to state-sponsored groups.
- Another Chrome zero-day in March 2026 was leveraged in a financially motivated crimeware campaign targeting banking users across Europe.
- CVE-2026-5281 now adds to this count, with exploitation observed in the wild before the patch was available.
Security analysts at Orca Security who analyzed CVE-2026-5281 noted that the flaw’s location in the WebGPU stack — a relatively new and complex part of the browser — may have contributed to the delay in detection, as security tooling and fuzzing coverage for this subsystem is still maturing.
CISA’s Mandatory Remediation Order
CISA’s inclusion of CVE-2026-5281 in the KEV catalog on April 1st triggered a binding operational directive requiring all U.S. federal civilian executive branch agencies to patch by April 15. This tight two-week window reflects the severity of the active exploitation and the risk posed to government networks.
Organizations outside the federal government are strongly advised to treat this deadline as a best-practice benchmark and apply the update as soon as possible.
How to Update Chrome
Google has released the fix in Chrome version 135.0.7049.95/96 for Windows and Mac, and 135.0.7049.95 for Linux. To verify or update your Chrome installation:
- Open Chrome and click the three-dot menu in the upper right corner.
- Navigate to Help > About Google Chrome.
- Chrome will automatically check for updates and prompt you to relaunch if a new version is available.
- After relaunching, confirm the version number shows 135.0.7049.95 or higher.
Enterprise administrators using managed Chrome deployments should push the update via their management console immediately and verify rollout completion through their endpoint visibility tools.
Broader Implications for Organizations
The frequency of Chrome zero-days in 2026 has significant implications for enterprise security teams. Browsers remain one of the most common attack surfaces, particularly in environments that rely heavily on web-based SaaS applications. Organizations should consider:
- Enabling automatic browser updates to minimize the window between patch release and deployment.
- Deploying browser isolation technology for high-risk users or sensitive workflows.
- Monitoring endpoint detection systems for signs of in-browser code execution or unusual renderer process activity.
- Reviewing browser extension policies, as malicious extensions can amplify the impact of browser vulnerabilities.
With CISA’s remediation deadline falling today, security teams should treat this as a top-priority patching action. The combination of active exploitation and a high-complexity attack surface makes CVE-2026-5281 one of the most urgent browser vulnerabilities of the year so far.