Google Chrome CVE-2026-5281: Use-After-Free Zero-Day Actively Exploited
Summary
Google patched CVE-2026-5281, a use-after-free vulnerability in Dawn (WebGPU implementation) that is actively exploited in the wild. This is the fourth Chrome zero-day patched in 2026, and CISA has added it to the Known Exploited Vulnerabilities catalog with a remediation deadline of April 15, 2026. The flaw affects all Chromium-based browsers including Chrome, Microsoft Edge, and Opera.
Threat Analysis
CVE-2026-5281 is a use-after-free vulnerability in Google Dawn, the cross-platform WebGPU implementation used by the Chromium project. The vulnerability allows a remote attacker who has compromised the renderer process to execute arbitrary code via a crafted HTML page. This is the fourth Chrome zero-day vulnerability patched in 2026, indicating sustained attacker interest in browser-based exploitation chains.
Affected Products: Google Chrome (all versions prior to the emergency patch), Microsoft Edge (Chromium-based), Opera, and other Chromium-based browsers.
Exploitation Status: Actively exploited in the wild. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to remediate by April 15, 2026.
Recommended Mitigations: Update Google Chrome to the latest version immediately. Enable automatic updates for all Chromium-based browsers. Consider restricting access to untrusted web content in high-security environments. Monitor for browser crash telemetry that may indicate exploitation attempts.