GOOGLE patched CVE-2026-5281, a high-severity use-after-free vulnerability in Dawn, Chromium’s WebGPU implementation, and it has confirmed exploitation in the wild. The NVD wording outlines that a remote attacker who had already compromised the renderer process could execute arbitrary code via a crafted HTML page. Chrome fixed the flaw in stable desktop builds released on 31 March 2026, with Windows and macOS versions 146.0.7680.177/178 and Linux 146.0.7680.177.
The CISA KEV catalogue added CVE-2026-5281 on 1 April 2026, with a remediation due date for federal agencies of 15 April 2026. Potentially, other Chromium-based browsers may be affected until upstream fixes are included in their builds. Public technical details remain limited, and Google’s release notes describe the flaw only as a use-after-free in Dawn, with additional details restricted by the Chromium project.