Google Chrome Zero-Day CVE-2026-5281 Actively Exploited in the Wild

CVE-2026-5281 is a use-after-free vulnerability in Dawn, Google Chrome's open-source WebGPU implementation. A remote attacker who has already compromised the renderer process can exploit this flaw to execute arbitrary code via a crafted HTML page. Google released patches in Chrome versions 146.0.7680.177/178 for Windows/macOS and 146.0.7680.177 for Linux. Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi are also affected and should be updated. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026, mandating Federal Civilian Executive Branch agencies to apply fixes by April 15, 2026. Organizations should immediately update Chrome and enforce browser restarts. As a temporary workaround, disabling WebGPU via Chrome policy (WebGPUEnabled=false) can reduce exposure. This is the fourth actively exploited Chrome zero-day patched in 2026, following CVE-2026-2441, CVE-2026-3909, and CVE-2026-3910.