Key Findings

• Google patched CVE-2026-5281, a use-after-free vulnerability in the WebGPU Dawn component that is actively being exploited

• This marks the fourth Chrome zero-day under active exploitation in 2026

• Users are urged to update immediately to Chrome 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux)

• The vulnerability affects graphics processing capabilities and could allow attackers to execute malicious code or crash the browser

• Google withheld technical exploit details to give users time to patch before wider attacks occur

Background

Chrome continues to face significant security pressure in 2026. This latest zero-day follows three other actively exploited vulnerabilities discovered earlier in the year, indicating an uptick in coordinated or opportunistic attacks targeting the world's most popular web browser. The pattern suggests that threat actors are actively hunting for and exploiting Chrome vulnerabilities faster than usual.

What is CVE-2026-5281

CVE-2026-5281 is a use-after-free bug in Dawn, the open-source graphics processing component that implements the WebGPU standard. Use-after-free vulnerabilities occur when a program continues using memory after it has been freed. In this case, attackers can manipulate this memory error to crash Chrome, inject malicious code, or potentially gain system-level control depending on the browser's sandbox effectiveness.

Active Exploitation

Google confirmed that exploits for this vulnerability already exist in the wild and are being actively deployed against users. The company provided no details about who is behind the attacks or how widespread the exploitation is, a standard practice designed to prevent copycat attacks while users patch their systems.

Previous Zero-Days in 2026

The four exploited Chrome zero-days discovered so far this year are:

• February 2026: CVE-2026-2441, a use-after-free in CSS

• March 2026: CVE-2026-3909, an out-of-bounds write in the Skia 2D graphics library

• March 2026: CVE-2026-3910, a flaw in the V8 JavaScript and WebAssembly engine

• April 2026: CVE-2026-5281, the use-after-free in Dawn

Recommended Action

Users should prioritize updating Chrome immediately to the patched versions. Google has confirmed active exploitation, making this a high-priority security update rather than a routine patch. The company is rolling out updates gradually across Windows, macOS, and Linux, so availability may vary by region and device, but users should check for and install updates as soon as they appear.

Sources

• https://securityaffairs.com/190265/hacking/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2026.html

• https://ground.news/article/google-fixes-fourth-chrome-zero-day-exploited-in-attacks-in-2026_b5a05b

• https://www.instagram.com/p/DWlfIOalYYw/

• https://www.reddit.com/r/cybersecurity/comments/1s9pq7e/google_fixes_fourth_chrome_zeroday_exploited_in/

• https://cybersecuritynews.com/chrome-zero-day-vulnerability-exploited/