Chrome's 4th Zero-Day of 2026: WebGPU Dawn Flaw Triggers CISA Emergency Patch Directive
Google releases an emergency Chrome update to fix CVE-2026-5281, a use-after-free in Dawn's WebGPU implementation already exploited in the wild. CISA orders patching by April 15. This is Chrome's fourth zero-day of 2026.
ニュース
kkm
Backend Engineer / AWS / Django
Google releases an emergency Chrome update to fix CVE-2026-5281, a use-after-free in Dawn's WebGPU implementation already exploited in the wild. CISA orders patching by April 15. This is Chrome's fourth zero-day of 2026.
On March 31, 2026, Google released a Chrome Stable Channel update to fix a use-after-free vulnerability, CVE-2026-5281, in Dawn, the open-source implementation behind WebGPU. Active exploitation has already been confirmed, and the next day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch by April 15.
This marks the fourth Chrome zero-day exploited in the wild since the start of 2026. February saw a CSS processing flaw, March brought Skia and V8 bugs, and now it's the GPU rendering engine. The fact that each zero-day targets a different component is a defining pattern of Chrome's security landscape this year.
CVE-2026-5281 at a Glance
According to the National Vulnerability Database (NVD), CVE-2026-5281 is described as "use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page."
| Item | Details |
|---|---|
| CVE | CVE-2026-5281 |
| Severity | CVSS 3.1: 8.8 (HIGH) |
| Type | Use After Free (CWE-416) |
| Affected Component | Dawn (WebGPU implementation) |
| Attack Prerequisites | Prior renderer process compromise required + access to a crafted HTML page |
| Reporter | Anonymous researcher (handle: 86ac1f1587b71893ed2ad792cd7dde32) |
| Fixed Version | Chrome 146.0.7680.177/.178 (Windows/macOS/Linux) |
| Patch Released | March 31, 2026 |
| CISA KEV Added | April 1, 2026 |
| Patch Deadline | April 15, 2026 (federal agency mandate) |
| Exploitation in the Wild | Confirmed |
Google acknowledged that "an exploit for CVE-2026-5281 exists in the wild," adding that technical details will remain restricted "until a majority of users are updated with a fix." This stable channel update patched a total of 21 vulnerabilities, 19 rated HIGH and 2 rated MEDIUM.
It's Not Just Chrome That's Affected
Because CVE-2026-5281 resides in a Chromium component, it affects all Chromium-based browsers, not just Chrome. This includes Microsoft Edge, Brave, Opera, Vivaldi, and others, which collectively account for roughly 65% of the desktop browser market worldwide.
| Browser | Patch Status (as of April 3) | How to Check |
|---|---|---|
| Google Chrome | ✅ Patched (146.0.7680.177/.178) | chrome://settings/help |
| Vivaldi | ✅ Patched (7.9 update) | vivaldi://about |
| Microsoft Edge | ⚠️ Unconfirmed (not listed in release notes) | edge://settings/help |
| Brave | ⚠️ Status pending | brave://settings/help |
| Opera | ⚠️ Status pending | Settings → About Opera |
If you're thinking "I use Edge, not Chrome, so I'm fine," think again. Edge uses Chromium's Dawn under the hood. Check your browser's version page to verify whether the patch has been applied.
How to Check and Update Your Chrome Version Right Now
Chrome updates are delivered automatically, but they require a browser restart to take effect. If you tend to keep your browser open for days or weeks at a time, there's a good chance you're still running an unpatched version. Here's how to check manually.
1. Type chrome://settings/help into the address bar and press Enter.
2. The "About Google Chrome" page will appear and automatically check for updates.
3. If the version number shows 146.0.7680.177 or higher, you're protected. If it's lower, click "Relaunch" to apply the update.
Using a different Chromium browser?
- ▸Edge: Navigate to
edge://settings/helpand check the Chromium version (should be 146.0.7680.177 or higher) - ▸Brave: Navigate to
brave://settings/helpand verify the version - ▸Vivaldi: Check
vivaldi://about— patched in the 7.9 minor update - ▸Opera: Go to Settings → About Opera to verify your version
CISA has set a deadline of April 15 for federal agencies. While this mandate doesn't legally bind private organizations, it serves as a widely referenced benchmark for how urgently an exploited vulnerability should be patched. If you haven't updated yet, do it now.
A Look Back at All Four Chrome Zero-Days of 2026
In just the first four months of 2026, four Chrome zero-day vulnerabilities have been exploited in real-world attacks. According to BleepingComputer, 2025 saw a total of eight for the entire year, meaning 2026 is on pace to significantly exceed that number.
← Swipe to navigate
What all four have in common is a CVSS score around 8.8 (HIGH) and the fact that the attack surface shifts to a different component each time: CSS processing, 2D rendering, the JavaScript engine, and now the GPU rendering engine. Attackers are probing a wide range of Chromium's codebase.
Why WebGPU Is Becoming an Attack Surface
To understand this vulnerability, you need to know how Dawn and WebGPU relate to each other.
WebGPU is a new API standard that gives web browsers direct access to a device's graphics processing unit (GPU). It enables lower-level GPU control than the legacy WebGL (2011), making it possible to run 3D graphics and machine learning inference at high speed within the browser. Dawn is the open-source library that implements this WebGPU standard for Chromium.
The challenge is that GPU resource management is inherently complex. According to CVEReports' analysis, the root cause of CVE-2026-5281 is a race condition in Dawn's command buffer queue management. When command buffers are submitted from JavaScript to the GPU and subsequently destroyed, the system fails to maintain proper synchronization between the buffer object lifecycle and the GPU task queue processing state. This leaves dangling pointers to freed memory, which attackers can overwrite with arbitrary data.
A use-after-free (UAF) is a bug where a program continues accessing a memory region after it has been freed. An attacker places malicious data in the freed region, and when the program treats that data as still valid, it can be tricked into executing arbitrary code.
The attack unfolds in two stages. First, a separate vulnerability is used to compromise the browser's renderer process (the process responsible for drawing web pages). Then, this Dawn bug is exploited to escape the browser sandbox and achieve arbitrary code execution at the host OS level.
Notably, this update also fixed three Dawn-related vulnerabilities simultaneously: CVE-2026-5281, CVE-2026-4676 (another Dawn use-after-free), and CVE-2026-5284 (yet another Dawn use-after-free). All were reported by the same anonymous researcher 86ac1f1587b71893ed2ad792cd7dde32, who according to Help Net Security also reported a WebGL heap buffer overflow (CVE-2026-4675). The concentration of bugs in graphics-related components is striking.
The Structural Reasons Behind Chrome's Zero-Day Surge
Of the four 2026 zero-days, three are use-after-free bugs (CVE-2026-3910, the V8 flaw, is the exception with an inappropriate implementation classification). This is no coincidence.
Chromium is primarily written in C++, where memory management is the programmer's responsibility. Google has previously published an analysis stating that roughly 70% of Chromium's security bugs stem from memory safety issues. Use-after-free is the quintessential example.
Google is tackling this problem with two approaches. The first is MiraclePtr, a smart pointer mechanism for C++ that detects use-after-free conditions and crashes the process before exploitation can succeed. The second is the gradual introduction of Rust into the Chromium codebase, which provides compile-time memory safety guarantees.
However, GPU-related components like Dawn are still relatively new, and their code maturity lags behind V8 and Blink. The WebGPU specification itself only shipped as stable in 2023. For attackers, this represents a "new attack surface likely rich in undiscovered bugs."
PCQuest characterizes this situation as "revealing a bigger browser security problem." The diversification of attack surfaces means that hardening one component simply redirects attackers to another, a whack-a-mole dynamic. The only fundamental solutions are to accelerate the migration from C++ to memory-safe languages, or to layer sandboxes more deeply to contain the blast radius of any single zero-day.
Key Takeaways
CVE-2026-5281 is an actively exploited Chrome zero-day vulnerability. It's a use-after-free in Dawn, the WebGPU implementation, allowing arbitrary code execution once an attacker has compromised the renderer process. All Chromium-based browsers are affected, including Chrome, Edge, Brave, Vivaldi, and Opera.
Open chrome://settings/help (or the equivalent page in your browser) right now and verify that your version is 146.0.7680.177 or higher. Even with auto-update enabled, the patch won't take effect until you restart the browser.
This fourth zero-day of 2026 shows attack surfaces expanding from CSS to Skia, V8, and now WebGPU. It's time to change the habit from "I'll update when I get around to it" to "I'll check the moment I see a security advisory."
Sources
- ▸ Google Chrome Releases - Stable Channel Update for Desktop (March 31, 2026)
- ▸ NVD - CVE-2026-5281 Detail (April 1, 2026)
- ▸ CISA - Known Exploited Vulnerabilities Catalog (Added April 1, 2026)
- ▸ BleepingComputer - Google fixes fourth Chrome zero-day exploited in attacks in 2026 (April 1, 2026)
- ▸ Help Net Security - Google fixes Chrome zero-day with in-the-wild exploit (CVE-2026-5281) (April 1, 2026)
- ▸ SecurityAffairs - Google fixes fourth actively exploited Chrome zero-day of 2026 (April 1, 2026)
- ▸ CVEReports - CVE-2026-5281: High-Severity Use-After-Free in Dawn WebGPU Implementation
- ▸ PCQuest - Chrome's fourth zero-day of 2026 reveals a bigger browser security problem
- ▸ Chromium - Memory Safety