CISA has added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog, marking the fourth Chrome zero-day exploited in the wild during 2026 alone. Federal agencies are required to remediate by April 15, 2026 under BOD 22-01.
What Is Dawn?
Google Dawn is Chrome’s WebGPU component responsible for graphics processing — an open-source, cross-platform implementation of the WebGPU standard that translates WebGPU API calls to platform-specific graphics backends. Its deep integration into the rendering pipeline makes vulnerabilities here particularly high-impact.
Vulnerability Details
- CVE: CVE-2026-5281
- CVSS Score: 8.8 (High)
- Type: Use-After-Free
- Component: Dawn (WebGPU) in Google Chrome
- Affected Versions: Chrome prior to 146.0.7680.178
The flaw allows a remote attacker who had already compromised the renderer process to execute arbitrary code via a crafted HTML page.
CISA noted the vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Exploitation Mechanics
Use-after-free vulnerabilities occur when a program continues to use a pointer to memory after that memory has been freed or deallocated. This creates a window where an attacker can manipulate the freed memory region before the program attempts to access it again. In Dawn’s context, this means malicious web content can potentially reach arbitrary code execution within the browser environment.
Memory management flaws in graphics components are particularly dangerous because they often bypass standard browser security boundaries. Successful exploitation could allow attackers to escape Chrome’s sandbox and execute code at the system level.
Google’s Response
Alongside the urgent zero-day patch, Google resolved 20 other security flaws reported by external researchers and internal teams. The majority are high-severity memory safety issues, including multiple heap buffer overflows and use-after-free bugs across essential browser components like WebCodecs, ANGLE, and the V8 JavaScript engine.
As is customary, Google did not provide additional details on exploitation methods or attribution, typically done to ensure a majority of users update before other actors can join exploitation efforts.
2026 Chrome Zero-Day Timeline
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026. Earlier actively exploited flaws include: CVE-2026-2441 (use-after-free in CSS, February 2026), CVE-2026-3909 (out-of-bounds write in Skia, March 2026), and CVE-2026-3910 (flaw in V8 JavaScript/WebAssembly engine, March 2026).
Detection & Remediation
- Update Google Chrome to 146.0.7680.178 or later immediately
- Apply updates to all Chromium-based browsers: Microsoft Edge, Opera, Brave
- Enforce browser auto-update policies across enterprise endpoints
- Review endpoint telemetry for anomalous renderer process activity or GPU-related crashes preceding suspicious network connections
- FCEB agencies: patch deadline is April 15, 2026 per BOD 22-01
