Chrome Zero-Day CVE-2026-5281 Exploited in Wild — 4th of 2026, Patch to 146.0.7680.178 Now - abhs.in

Cybersecurity Chrome Zero-Day Developer Tools Chrome Zero-Day CVE-2026-5281 Exploited in Wild — 4th of 2026, Patch to 146.0.7680.178 Now Abhishek Gautam · April 2, 2026 · 5 min read QUICK SUMMARY Google patched Chrome CVE-2026-5281, a use-after-free in the Dawn WebGPU engine actively exploited in the wild. CISA KEV deadline April 15. Update to 146.0.7680.178 immediately. READ NEXT 1,100 Ships GPS-Spoofed: Iran Switches to BeiDou, Apps Break Malicious Rust Packages Hit crates.io: Developer API Keys and Secrets Being Stolen More on Cybersecurity → Google released an emergency Chrome update on April 1, 2026 to patch CVE-2026-5281 — a use-after-free vulnerability in the Dawn WebGPU component that is actively being exploited in the wild. This is the fourth Chrome zero-day patched in 2026. CISA added it to the Known Exploited Vulnerabilities catalog the same day, setting a mandatory federal patching deadline of April 15 for all FCEB agencies. If you are running Chrome below version 146.0.7680.177 on any platform, you are exposed to a remotely exploitable code execution bug that attackers are already using. Update Right Now The patched versions are: Windows and macOS: 146.0.7680.177 or 146.0.7680.178 Linux: 146.0.7680.177 To update: open Chrome → three-dot menu → Help → About Google Chrome → wait for update to download → click Relaunch. Chrome auto-updates but only applies the update at next relaunch. A Chrome window that has been open for days is running the unpatched version even if the update downloaded. You need to actually relaunch. Chromium-based browsers — Edge, Brave, Opera, Vivaldi — use the same Dawn engine and are likely affected by the same underlying vulnerability. Check each browser's update channel for patched versions; Edge has the fastest Chromium tracking of the major alternatives. What the Vulnerability Actually Is CVE-2026-5281 is a use-after-free in Dawn — the open-source, cross-platform implementation of the WebGPU standard that Chrome uses for GPU-accelerated graphics and compute. Use-after-free: the program frees a block of memory, then subsequently accesses that same memory location. If an attacker can control what gets written to that freed memory before the second access happens, they control what the program reads as trusted data. In a browser context, this means an attacker can overwrite function pointers or object structures inside Chrome's renderer process, redirecting execution to attacker-controlled code. The specific attack chain: an attacker hosts a crafted HTML page containing malicious WebGPU code. A user visits the page in Chrome. The WebGPU code triggers the use-after-free in Dawn. The attacker gains code execution inside Chrome's renderer process — the sandboxed process that handles page rendering. The phrase "compromised renderer process" in Google's advisory is the key technical qualifier. This exploit reaches code execution inside the renderer sandbox, not outside it. Chaining this with a separate sandbox escape (a second vulnerability) would give the attacker full system access. Google has not confirmed whether a sandbox escape is being used in the active exploitation chains — but CISA's KEV listing and emergency patch speed suggests the threat is treated as high-severity. Why WebGPU Is a Growing Attack Surface WebGPU shipped in Chrome stable in May 2023. It replaced WebGL as the primary web standard for GPU access from JavaScript — enabling high-performance graphics, machine learning inference in the browser, and general GPU compute directly from web pages. The attack surface of WebGPU is significantly larger than WebGL. WebGL exposed a relatively narrow subset of OpenGL ES. WebGPU exposes a modern GPU programming model — compute shaders, pipeline state objects, resource binding — that is far more complex and interacts with the GPU driver at a lower level. Dawn is the implementation Chrome, Node.js (via the Dawn bindings), and other Chromium-based browsers use. A bug in Dawn is not Chrome-specific — it is a bug in shared infrastructure used across multiple runtimes. This is the second Dawn-related security incident in 2026, following a lower-severity issue patched in February. The developer implication: if you are building WebGPU-based applications — browser-based ML inference, GPU compute for data visualization, WebGPU game engines — your users are running this attack surface. Keeping Chrome updated is not just a user hygiene issue, it is a security property of your WebGPU application. This Is the Fourth Chrome Zero-Day of 2026 CVE-2026-5281 is the fourth actively exploited Chrome zero-day patched by Google in 2026. The cadence is accelerating: Zero-day 1 (January 2026): V8 JavaScript engine type confusion — exploited by state-sponsored actors Zero-day 2 (February 2026): Dawn component — lower severity, limited exploitation Zero-day 3 (March 2026): Mojo IPC use-after-free — exploited in targeted attacks against journalists and activists Zero-day 4 (April 2026, CVE-2026-5281): Dawn WebGPU use-after-free — actively exploited, CISA KEV listed Four zero-days in 91 days is not a Chrome-specific failure — it reflects the intensity of security research and active exploitation targeting the browser attack surface in 2026. Nation-state actors, criminal ransomware groups, and commercial exploit brokers are all investing heavily in browser exploits because the browser is the most universal attack surface: it runs on every OS, handles untrusted content by design, and has GPU and network access. Who Is Exploiting It Google has not publicly attributed the exploitation. The standard disclosure pattern: Google confirms exploitation "in the wild" without naming threat actors, patches the vulnerability, and then security researchers and intelligence agencies publish attribution analysis weeks later. Based on the pattern of previous Dawn-related exploits and the WebGPU-specific attack surface, the likely exploitation scenarios are: Targeted espionage: state-sponsored actors running watering hole attacks — compromising websites visited by high-value targets (journalists, government officials, defense contractors) and delivering the exploit silently when the target visits the site. Criminal drive-by: ransomware groups embedding the exploit in malvertising campaigns — ads that execute the exploit payload when rendered in the browser without any user interaction beyond loading the page. Exploit broker testing: commercial exploit brokers (NSO Group competitors) validating the exploit as part of a chain for mobile or desktop targeted attacks. CISA's mandatory April 15 federal deadline suggests this is being treated as sufficiently dangerous to warrant rapid compliance enforcement, not just a standard advisory. What Enterprise and Developer Teams Should Do Immediate (today): Force-relaunch all Chrome instances across managed devices — policy deployment via Chrome Browser Cloud Management or group policy Verify Chromium-based browser versions (Edge, Brave) are updated If using Chrome in CI/CD pipelines (Puppeteer, Playwright, automated testing), update the pinned Chrome version Within 48 hours: Check Node.js applications using Dawn WebGPU bindings — same underlying library, may need separate update Review any internal applications that use Chrome in kiosk or embedded mode — these do not auto-update without explicit management Ongoing: If you run a WebGPU-based application, consider adding a client-side version check that warns users running Chrome below the patched version CISA KEV listings are the most reliable signal for genuine exploitation severity — subscribe to the KEV RSS feed at cisa.gov/known-exploited-vulnerabilities-catalog Key Takeaways CVE-2026-5281: use-after-free in Chrome's Dawn WebGPU engine — actively exploited in wild, remote code execution inside renderer process Patch now: update Chrome to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux) — relaunch required, not just download Fourth zero-day of 2026: January, February, March, and now April — one per month, accelerating cadence CISA KEV deadline: April 15, 2026 for all Federal Civilian Executive Branch agencies — treat this as the outer bound for enterprise enforcement WebGPU attack surface is growing: Dawn is shared infrastructure across Chrome, Node.js bindings, and Chromium-based browsers — a bug in Dawn affects the entire ecosystem Enterprise action: force-relaunch via Chrome Browser Cloud Management, verify Edge/Brave versions, check Puppeteer/Playwright pinned Chrome versions in CI/CD FREE WEEKLY BRIEFING The AI & Dev Briefing One honest email a week — what actually matters in AI and software engineering. No noise, no sponsored content. Read by developers across 30+ countries. Subscribe free → No spam. Unsubscribe anytime. MORE ON CYBERSECURITY All posts → Cybersecurity Iran 1,100 Ships GPS-Spoofed: Iran Switches to BeiDou, Apps Break GPS spoofing put 1,100 ships at airports and nuclear plants in 2026. Iran switched to China's BeiDou, abandoning US GPS. What breaks and how developers build resilient location services. Mar 3, 2026 · 8 min read Cybersecurity Developer Tools Malicious Rust Packages Hit crates.io: Developer API Keys and Secrets Being Stolen Malicious packages were published to crates.io in early March 2026 impersonating timeapi.io. They steal developer API keys, tokens, and secrets and exfiltrate them to attacker infrastructure. Here is what happened, which packages are affected, and how to protect yourself. Mar 11, 2026 · 6 min read Cybersecurity Microsoft Microsoft Patch Tuesday March 2026: 79 Flaws, 2 Zero-Days, SQL Server Escalation and Excel Data Leak Microsoft's March 2026 Patch Tuesday fixes 79 vulnerabilities including 2 zero-days. Key patches: SQL Server privilege escalation (CVSS 8.8), a .NET denial-of-service, an Excel XSS information disclosure flaw, and two Office RCEs triggerable from the Outlook preview pane. Mar 11, 2026 · 6 min read Cybersecurity Semiconductors ShinyHunters TELUS Breach: 1 Petabyte Stolen, $65M Ransom Demanded ShinyHunters stole 1PB of data from TELUS Digital by pivoting from a Salesloft breach via trufflehog. $65M ransom demanded, 24 BPO companies exposed. Mar 19, 2026 · 8 min read SHARE Copy link X / Twitter LinkedIn Instagram WRITTEN BY Abhishek Gautam Software Engineer based in Delhi, India. Writes about AI models, semiconductor supply chains, and tech geopolitics — covering the intersection of infrastructure and global events. 355+ posts cited by ChatGPT, Perplexity, and Gemini. Read in 121 countries. LinkedIn Instagram GitHub Portfolio Leave a thought →