Top/Articles/Chrome zero-day CVE-2026-5281 (WebGPU/Dawn) under active attack
chrome-zero-day-cve-2026-5281-webgpu-dawn-cover-en-png

Chrome zero-day CVE-2026-5281 (WebGPU/Dawn) under active attack

Google releases an emergency Chrome update to fix CVE-2026-5281, a use-after-free in Dawn's WebGPU implementation already exploited in the wild. CISA orders patching by April 15. This is Chrome's fourth zero-day of 2026.

ニュース2026年4月3日公開最終更新 2026年5月28日
目次
この記事のポイント

Google releases an emergency Chrome update to fix CVE-2026-5281, a use-after-free in Dawn's WebGPU implementation already exploited in the wild. CISA orders patching by April 15. This is Chrome's fourth zero-day of 2026.

On March 31, 2026, Google released a Chrome Stable Channel update to fix a use-after-free vulnerability, CVE-2026-5281, in Dawn, the open-source implementation behind WebGPU. Active exploitation has already been confirmed, and the next day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch by April 15.

This marks the fourth Chrome zero-day exploited in the wild since the start of 2026. February saw a CSS processing flaw, March brought Skia and V8 bugs, and now it's the GPU rendering engine. The fact that each zero-day targets a different component is a defining pattern of Chrome's security landscape this year.

The Market Behind "Chrome Zero-Day #4 of 2026"

Four exploited Chrome zero-days in a single year is not random luck; it is the visible surface of a market where each Chrome RCE chain trades for millions of dollars to a very specific buyer set, so it is worth starting from who is paying that bill and what they actually point the exploit at.

The people who actually hold a working Chrome zero-day are not lone-wolf hobbyists; they sit in a budget bracket several orders of magnitude above that. State-sponsored cyber espionage units, intelligence officers of authoritarian regimes tracking journalists and dissidents, industrial spies after pre-earnings drafts and M&A; documents, and initial-access brokers who resell footholds into already-compromised companies to ransomware crews form the core buyer set. What they want from a hole in Chrome is the unsent confidential message in Gmail and the shared drives behind Google Workspace, the corporate credentials piled up in the browser's password manager, the live SaaS admin sessions cached in cookies, the federated access through Google Sign-In into a target's Slack/Notion/GitHub, and the customer lists and financial models synced to the work laptop. The single second a crafted page renders, the chain renderer → Dawn use-after-free → sandbox escape → OS execution opens end-to-end through this one CVE.

In security terminology, a browser zero-day is the opening "initial access vector" of a longer attack chain. The reason a relatively new, lightly audited codebase like WebGPU/Dawn keeps being targeted is precisely that attackers deliberately pick territories where defensive review has not yet caught up. A chain that begins in a compromised renderer, pivots through a freed Dawn object, and ends in a sandbox escape is the kind of exploit traded between commercial offensive vendors at the multi-million-dollar mark, with buyers that are basically governments or contractors acting on their behalf (NSO Group, Intellexa, and the like). CISA giving federal agencies a two-week deadline after KEV listing is a quiet acknowledgement that the assumed adversary here is nation-state class.

CVSS 8.8 is only a technical reading. What Chrome users inside enterprises and government actually lose is not a crashed browser; it is that the active login sessions to work accounts, the foothold into internal systems, and the entryway into the customer database silently change hands to a nation-state-scale espionage operation.

CVE-2026-5281 at a Glance

According to the National Vulnerability Database (NVD), CVE-2026-5281 is described as "use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page."

ItemDetails
CVECVE-2026-5281
SeverityCVSS 3.1: 8.8 (HIGH)
TypeUse After Free (CWE-416)
Affected ComponentDawn (WebGPU implementation)
Attack PrerequisitesPrior renderer process compromise required
+ access to a crafted HTML page
ReporterAnonymous researcher
(handle: 86ac1f1587b71893ed2ad792cd7dde32)
Fixed VersionChrome 146.0.7680.177/.178
(Windows/macOS/Linux)
Patch ReleasedMarch 31, 2026
CISA KEV AddedApril 1, 2026
Patch DeadlineApril 15, 2026 (federal agency mandate)
Exploitation in the WildConfirmed

Google acknowledged that "an exploit for CVE-2026-5281 exists in the wild," adding that technical details will remain restricted "until a majority of users are updated with a fix." This stable channel update patched a total of 21 vulnerabilities, 19 rated HIGH and 2 rated MEDIUM.

It's Not Just Chrome That's Affected

Because CVE-2026-5281 resides in a Chromium component, it affects all Chromium-based browsers, not just Chrome. This includes Microsoft Edge, Brave, Opera, Vivaldi, and others, which collectively account for roughly 65% of the desktop browser market worldwide.

BrowserPatch Status (as of April 3)How to Check
Google Chrome✅ Patched (146.0.7680.177/.178)chrome://settings/help
Vivaldi✅ Patched (7.9 update)vivaldi://about
Microsoft Edge⚠️ Unconfirmed (not listed in release notes)edge://settings/help
Brave⚠️ Status pendingbrave://settings/help
Opera⚠️ Status pendingSettings → About Opera

If you're thinking "I use Edge, not Chrome, so I'm fine," think again. Edge uses Chromium's Dawn under the hood. Check your browser's version page to verify whether the patch has been applied.

How to Check and Update Your Chrome Version Right Now

Chrome updates are delivered automatically, but they require a browser restart to take effect. If you tend to keep your browser open for days or weeks at a time, there's a good chance you're still running an unpatched version. Here's how to check manually.

1. Type chrome://settings/help into the address bar and press Enter.

2. The "About Google Chrome" page will appear and automatically check for updates.

3. If the version number shows 146.0.7680.177 or higher, you're protected. If it's lower, click "Relaunch" to apply the update.

Using a different Chromium browser?

  • Edge: Navigate to edge://settings/help and check the Chromium version (should be 146.0.7680.177 or higher)
  • Brave: Navigate to brave://settings/help and verify the version
  • Vivaldi: Check vivaldi://about — patched in the 7.9 minor update
  • Opera: Go to Settings → About Opera to verify your version

CISA has set a deadline of April 15 for federal agencies. While this mandate doesn't legally bind private organizations, it serves as a widely referenced benchmark for how urgently an exploited vulnerability should be patched. If you haven't updated yet, do it now.

A Look Back at All Four Chrome Zero-Days of 2026

In just the first four months of 2026, four Chrome zero-day vulnerabilities have been exploited in real-world attacks. According to BleepingComputer, 2025 saw a total of eight for the entire year, meaning 2026 is on pace to significantly exceed that number.

← Swipe to navigate

What all four have in common is a CVSS score around 8.8 (HIGH) and the fact that the attack surface shifts to a different component each time: CSS processing, 2D rendering, the JavaScript engine, and now the GPU rendering engine. Attackers are probing a wide range of Chromium's codebase.

Why WebGPU Is Becoming an Attack Surface

To understand this vulnerability, you need to know how Dawn and WebGPU relate to each other.

WebGPU is a new API standard that gives web browsers direct access to a device's graphics processing unit (GPU). It enables lower-level GPU control than the legacy WebGL (2011), making it possible to run 3D graphics and machine learning inference at high speed within the browser. Dawn is the open-source library that implements this WebGPU standard for Chromium.

The challenge is that GPU resource management is inherently complex. According to CVEReports' analysis, the root cause of CVE-2026-5281 is a race condition in Dawn's command buffer queue management. When command buffers are submitted from JavaScript to the GPU and subsequently destroyed, the system fails to maintain proper synchronization between the buffer object lifecycle and the GPU task queue processing state. This leaves dangling pointers to freed memory, which attackers can overwrite with arbitrary data.

A use-after-free (UAF) is a bug where a program continues accessing a memory region after it has been freed. An attacker places malicious data in the freed region, and when the program treats that data as still valid, it can be tricked into executing arbitrary code.

The attack unfolds in two stages. First, a separate vulnerability is used to compromise the browser's renderer process (the process responsible for drawing web pages). Then, this Dawn bug is exploited to escape the browser sandbox and achieve arbitrary code execution at the host OS level.

Notably, this update also fixed three Dawn-related vulnerabilities simultaneously: CVE-2026-5281, CVE-2026-4676 (another Dawn use-after-free), and CVE-2026-5284 (yet another Dawn use-after-free). All were reported by the same anonymous researcher 86ac1f1587b71893ed2ad792cd7dde32, who according to Help Net Security also reported a WebGL heap buffer overflow (CVE-2026-4675). The concentration of bugs in graphics-related components is striking.

The Structural Reasons Behind Chrome's Zero-Day Surge

Of the four 2026 zero-days, three are use-after-free bugs (CVE-2026-3910, the V8 flaw, is the exception with an inappropriate implementation classification). This is no coincidence.

Chromium is primarily written in C++, where memory management is the programmer's responsibility. Google has previously published an analysis stating that roughly 70% of Chromium's security bugs stem from memory safety issues. Use-after-free is the quintessential example.

Google is tackling this problem with two approaches. The first is MiraclePtr, a smart pointer mechanism for C++ that detects use-after-free conditions and crashes the process before exploitation can succeed. The second is the gradual introduction of Rust into the Chromium codebase, which provides compile-time memory safety guarantees.

However, GPU-related components like Dawn are still relatively new, and their code maturity lags behind V8 and Blink. The WebGPU specification itself only shipped as stable in 2023. For attackers, this represents a "new attack surface likely rich in undiscovered bugs."

PCQuest characterizes this situation as "revealing a bigger browser security problem." The diversification of attack surfaces means that hardening one component simply redirects attackers to another, a whack-a-mole dynamic. The only fundamental solutions are to accelerate the migration from C++ to memory-safe languages, or to layer sandboxes more deeply to contain the blast radius of any single zero-day.

Key Takeaways

CVE-2026-5281 is an actively exploited Chrome zero-day vulnerability. It's a use-after-free in Dawn, the WebGPU implementation, allowing arbitrary code execution once an attacker has compromised the renderer process. All Chromium-based browsers are affected, including Chrome, Edge, Brave, Vivaldi, and Opera.

Open chrome://settings/help (or the equivalent page in your browser) right now and verify that your version is 146.0.7680.177 or higher. Even with auto-update enabled, the patch won't take effect until you restart the browser.

This fourth zero-day of 2026 shows attack surfaces expanding from CSS to Skia, V8, and now WebGPU. It's time to change the habit from "I'll update when I get around to it" to "I'll check the moment I see a security advisory."

Sources

avatar-m-1

堀川 慎

Backend Engineer / AWS / Django / Go