Chrome Zero-Day CVE-2026-5281 Actively Exploited — CISA Mandates Patch by April 15

CVE-2026-5281 is a use-after-free vulnerability in Dawn, the cross-platform WebGPU implementation used by Chromium-based browsers. A remote attacker who has compromised the renderer process can execute arbitrary code via a specially crafted HTML page. The flaw carries a CVSS v3 base score of 8.8 (High) and affects Chrome versions prior to 146.0.7680.177/178 on Windows/macOS and 146.0.7680.177 on Linux. Other Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi are also potentially affected. Google confirmed active exploitation in the wild but has withheld specific details about threat actors to allow users time to patch. CISA added CVE-2026-5281 to its KEV catalog on April 1, 2026, mandating Federal Civilian Executive Branch agencies to apply fixes by April 15, 2026. Mitigations: Update Chrome to version 146.0.7680.177/178 or later immediately. If patching is not immediately possible, disable WebGPU via Chrome policy (WebGPUEnabled = false) as a temporary measure. Enterprise administrators should enforce relaunch windows via management tools.