Google Issues Zero-Day Attack Alert For 3.5 Billion Chrome Users - Forbes

InnovationCybersecurity Google Issues Zero-Day Attack Alert For 3.5 Billion Chrome Users ByDavey Winder, Senior Contributor. Forbes contributors publish independent expert analyses and insights. Davey Winder is a veteran cybersecurity writer, hacker and analyst. Follow Author Apr 03, 2026, 11:44am EDT --:-- / --:-- This voice experience is generated by AI. Learn more. This voice experience is generated by AI. Learn more. Google Chrome zero-day confirmed. SOPA Images/LightRocket via Getty Images Updated April 3: Following confirmation by Google that CVE-2026-5281, a new Chrome web browser zero-day vulnerability, is already being exploited in the wild, this article has now been update to include information on 20 other vulnerabilities patched in the latest Chrome security update as well as the addition of the zero-day to the U.S. Cybersecurity and Infrastructure Agency Known Exploited Vulnerabilities Catalog database and what that means. Just days after Google started rolling out a high-risk security update for Chrome users, the technology giant has now issued a new alert following the confirmation of a new zero-day exploit observed in the wild. This means that hackers already have a head start when it comes to using CVE-2026-5281 in attacks against the 3.5 billion users of the world’s most popular web browser. The good news is that Google has commenced another security update distribution to address this high-severity vulnerability, along with a staggering 20 others. The bad news is that it could take days, or even weeks, to reach you, according to the Google announcement. Thankfully, however, there is a way to ensure that your Chrome browser gets that Google security update right now, and you can scroll to the end of this article for step-by-step instructions. In the meantime, here’s what you need to know about the CVE-2026-5281 zero-day. PROMOTED ForbesGoogle’s New Gmail ID Update—Protect Your Email Account NowBy Davey Winder First of all, we know that zero-day vulnerabilities are becoming increasingly commonplace as far as Google Chrome is concerned. The latest update marks the fourth zero-day to have been patched by Google in just the first quarter of the year, following CVE-2026-2441 in February and both CVE-2026-3909 and CVE-2026-3910 on March 10. To put that into some perspective, Google only patched a total of eight zero-days across the whole of 2025, with one more being confirmed after the linked reference article was published. MORE FOR YOU As for CVE-2026-5281, Google is keeping relatively quiet about the technical details, as is the norm. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Srinivas Sista, a member of the Google Chrome team said. What we do know, however, is that this high-severity zero-day vulnerability is that it is of the use-after-free memory type and impacts the cross-platform Dawn WebGPU component of Chrome. If an attacker successfully triggers this vulnerability, and remember that exploits have been confirmed, it could lead to data corruption and browser crashes. According to the Vulners vulnerability database, an attacker would be able to “run arbitrary code via a crafted HTML page.” ForbesGoogle Says Nothing To See Here As 50 Android Apps Infected By MalwareBy Davey Winder The Cybersecurity and Infrastructure Security Agency, which describes itself as America's Cyber Defense Agency but is perhaps better known simply as CISA, has issued an official binding operational directive requiring certain Federal Civilian Executive Branch agencies to update against the latest Chrome zero-day vulnerability. The addition of CVE-2026-5281 to the Known Exploited Vulnerabilities catalog doesn’t only impact those federal agencies, though, as CISA has also strongly urged “all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.” You may not have a legal obligation to complete that remediation within a particular timeframe, but your organization is recommended to apply a risk assessment, and if necessary, the patch, as soon as possible. ForbesThese Google Hackers Earned $17 Million—No Laws BrokenBy Davey Winder The full list of security vulnerabilities patched by Google in this latest Chrome update, which takes Windows and Mac users to version 146.0.7680.177/178 and Linux users to version 146.0.7680.177, is as follows: CVE-2026-5273, a high-rated use-after-free vulnerability in the CSS component. CVE-2026-5272, a high-rated heap buffer overflow vulnerability in the Chrome GPU. CVE-2026-5274, a high-rated integer overflow vulnerability in the Codecs component. CVE-2026-5275, a high-rated heap buffer overflow vulnerability in the ANGLE component. CVE-2026-5276, an insufficient policy enforcement vulnerability in the WebUSB component. CVE-2026-5277, a high-rated integer overflow vulnerability in the ANGLE component. CVE-2026-5278, a high-rated use-after-free vulnerability in the Web MIDI component. CVE-2026-5279, a high-rated object corruption vulnerability in the V8 JavaScript rendering engine component. CVE-2026-5280, a high-rated use-after-free vulnerability in Chrome’s WebCodecs. CVE-2026-5281, the zero-day vulnerability, as has already been discussed. CVE-2026-5282, an out-of-bounds read vulnerability in WebCodecs. CVE-2026-5283, an inappropriate implementation vulnerability in ANGLE. CVE-2026-5284, a high-rated use-after-free vulnerability in the Dawn component. CVE-2026-5285, a high-rated use-after-free vulnerability in the WebGL component. CVE-2026-5286, a high-rated use-after-free vulnerability in Dawn. CVE-2026-5287, a high-rated use-after-free vulnerability in the PDF component. CVE-2026-5288, a high-rated use-after-free vulnerability in the WebView component. CVE-2026-5289, a high-rated use-after-free vulnerability in the Navigation component. CVE-2026-5290, a high-rated use-after-free vulnerability in the Compositing. CVE-2026-5291, a medium-rated use-after-free vulnerability in the WebGL component. CVE-2026-5292, a medium-rated out-of-bounds vulnerability in WebCodecs. ForbesNew WhatsApp Spyware Attack—Some iPhone Users Advised To Uninstall AppBy Davey Winder While you might be tempted to just sit back and wait for the Google Chrome update to arrive and install automatically, and that’s a perfectly valid approach, when it comes to zero-day vulnerability patching, I tend to err on the side of caution and recommend kickstarting the process instead. Handily, this is really easy as well, and also largely an automated process. All you need to do is head to the three-dot menu in your Chrome browser and select the Help|About Google Chrome option. The update will, if not already applied, begin downloading and installing automatically. Just be sure to follow the instructions to restart your browser when prompted, and you will be protected against CVE-2026-5281 and the other 20 vulnerabilities patched by Google. Editorial StandardsReprints & Permissions Find Davey Winder on LinkedIn and X. Visit Davey's website. Browse additional work. Follow Author LOADING VIDEO PLAYER... FORBES’ FEATURED Video