GOOGLE patched CVE-2026-5281, a WebGPU zero-day exploited in the wild, affecting Chrome and possibly other Chromium browsers. It marks the fourth actively exploited zero-day the company has fixed this year.
The flaw is a use-after-free error in Dawn, the open-source WebGPU implementation that Chrome uses for graphics rendering. An attacker who has already gained control of the renderer process can trigger the error with a malicious HTML page and execute arbitrary code inside the browser sandbox. Google assigned it a high severity rating and released fixes in Chrome 146.0.7680.177 for Linux and 146.0.7680.177/178 for Windows and macOS on 31 March 2026.
CISA inserted CVE-2026-5281 into its Known Exploited Vulnerabilities catalogue on 1 April 2026, setting a remediation deadline of 15 April 2026 for federal agencies. The agency notes that the vulnerability could affect Microsoft Edge, Opera and any other Chromium derivative that has not yet incorporated the upstream patch. No specific threat actor has been linked to the activity so far.
Google described the issue as the fourth Chrome zero-day under active attack in 2026, although it has not disclosed the identities or motives of the attackers. Successful exploitation requires the renderer process to already be compromised, after which a specially crafted web page can trigger the use-after-free condition. Public technical details remain scarce, with the vendor only describing the defect as a memory handling error in Dawn.
Defenders should prioritise updating all Chrome installations to the versions mentioned in the advisory, and extend the same check to Edge, Opera and other Chromium-based browsers used within the organisation. Where immediate updating is not feasible, consider disabling the WebGPU feature or restricting access to untrusted websites until the patch can be applied. Security teams should also review web proxy logs for unexpected HTML payloads that could attempt to leverage the flaw.
Finally, maintain an asset inventory of browsers and plug-ins, follow CISA’s Binding Operational Directive 22-01 for cloud workloads, and validate the patch in a test environment before broader deployment. Staying current with Chrome’s release channel remains the most effective defence against this and similar zero-day threats.