CVE-2026-5281: Chrome WebGPU Zero-Day Exploited In The Wild

Google patched CVE-2026-5281, a high-severity use-after-free (CWE-416) vulnerability in Dawn, Chromium’s WebGPU implementation. The company has confirmed exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline for federal agencies.

This post breaks down what CVE-2026-5281 is, who is affected, what is known about exploitation, and what defenders should do immediately.

What Is CVE-2026-5281?

CVE-2026-5281 is a use-after-free memory safety vulnerability in Dawn, the component that implements WebGPU in Chromium-based browsers. Use-after-free bugs occur when software continues to use memory after it has been freed, which can lead to memory corruption.

Details of CVE-2026-5281 (SOCRadar Vulnerability Intelligence)

Memory corruption in a browser graphics stack can create a path to arbitrary code execution under the right conditions. In this case, the NVD description indicates an attacker could leverage a crafted HTML page to reach code execution in Chrome versions prior to the patched releases, with an important caveat about exploitation prerequisites.

Which Chrome Versions Are Affected (And What Versions Are Fixed)?

Google fixed CVE-2026-5281 in Chrome Stable desktop builds released on March 31, 2026:

• Windows and macOS:146.0.7680.177/178
• Linux:146.0.7680.177

If you are running a version below these builds, treat the browser as vulnerable until it is updated and relaunched.

Are Other Chromium-Based Browsers Affected Too?

Potentially, yes. Browsers like Edge, Brave, Opera, and Vivaldi typically inherit Chromium vulnerabilities until they ship the corresponding upstream fixes. Even if your organization standardizes on a non-Google Chromium browser, verify the vendor has delivered a build that includes the Chromium 146.0.7680.177/178 fixes (or later).

How Does Exploitation Work For This Bug?

Public technical details are limited. Google’s release notes identify the flaw only as a use-after-free in Dawn, and the underlying Chromium issue tracker entry is restricted.

What is clearly stated in the NVD wording is the attacker model: a remote attacker who had already compromised the renderer process could execute arbitrary code via a crafted HTML page.

What Is Not Public Yet?

As of the current advisories, there is no official public breakdown of:

• The exact root cause in Dawn or the triggering WebGPU call sequence
• Patch-level details that explain the specific lifecycle or object misuse
• Whether the in-the-wild activity used this for renderer code execution only, or chained it with a sandbox escape

That lack of detail is consistent with Chrome’s practice of restricting bug information until a large portion of users have updated.

Is CVE-2026-5281 Being Exploited In The Wild?

Yes. Google explicitly stated it is aware of an exploit in the wild.

CISA’s decision to add CVE-2026-5281 to the Known Exploited Vulnerabilities catalog on April 1, 2026 reinforces this. KEV inclusion is a strong signal to prioritize remediation over routine patch timelines.

CISA KEV entry for CVE-2026-5281, signaling the due date for remediation: April 15, 2026

What Should Defenders Do Now?

Update And Force A Relaunch

• Update Chrome to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
• Ensure endpoints relaunch Chrome, since browser updates often download in the background but do not take effect until restart.

In enterprise environments, consider enforcing relaunch windows or using management tooling to reduce the number of devices that remain on a vulnerable binary for days.

Consider An Enterprise Workaround If You Cannot Patch Immediately

If patching must be delayed, an interim control documented in enterprise guidance is disabling WebGPU via Chrome policy:

• WebGPUEnabled = false

This can reduce exposure to Dawn/WebGPU attack surface, but it may break applications that rely on WebGPU. Treat it as a short-term containment measure, not a replacement for patching.

Operational Checks To Add Right Away

• Inventory endpoints and confirm installed Chrome versions meet the fixed build numbers.
• Validate update status for any Chromium-based browsers in scope, not just Chrome.
• Prioritize high-risk user groups such as administrators, developers, and staff who browse untrusted content as part of their work.

Strengthen Visibility Across Threats and Exposure

Defenders can improve prioritization by pairing external exposure monitoring with current threat context.

With SOCRadar Cyber Threat Intelligence, your organization can track vulnerability activity, exploitation trends, attacker behavior, and relevant indicators that can support faster prioritization. At the same time, SOCRadar Attack Surface Management helps you identify internet-facing assets, exposed services, and other external exposures that may need closer review during remediation.

SOCRadar’s Vulnerability Intelligence

What Is The Timeline Security Teams Should Know?

• 2026-03-10: Vulnerability reported to Chrome
• 2026-03-31: Fix shipped in Chrome Stable desktop updates (rolling out afterward)
• 2026-04-01: CISA added CVE-2026-5281 to KEV; NVD entry published
• 2026-04-15: CISA KEV remediation due date for U.S. federal civilian agencies

For most organizations, the KEV due date is still a useful benchmark. If you have not completed remediation by mid-April, assume you are behind the threat.