Chrome Zero-Day CVE-2026-5281 Exploited in Wild — 4th of 2026, Patch to 146.0.7680.178 Now

Google released an emergency Chrome update on April 1, 2026 to patch CVE-2026-5281 — a use-after-free vulnerability in the Dawn WebGPU component that is actively being exploited in the wild. This is the fourth Chrome zero-day patched in 2026. CISA added it to the Known Exploited Vulnerabilities catalog the same day, setting a mandatory federal patching deadline of April 15 for all FCEB agencies.

If you are running Chrome below version 146.0.7680.177 on any platform, you are exposed to a remotely exploitable code execution bug that attackers are already using.

Update Right Now

The patched versions are:

• Windows and macOS: 146.0.7680.177 or 146.0.7680.178
• Linux: 146.0.7680.177

To update: open Chrome → three-dot menu → Help → About Google Chrome → wait for update to download → click Relaunch.

Chrome auto-updates but only applies the update at next relaunch. A Chrome window that has been open for days is running the unpatched version even if the update downloaded. You need to actually relaunch.

Chromium-based browsers — Edge, Brave, Opera, Vivaldi — use the same Dawn engine and are likely affected by the same underlying vulnerability. Check each browser's update channel for patched versions; Edge has the fastest Chromium tracking of the major alternatives.

What the Vulnerability Actually Is

CVE-2026-5281 is a use-after-free in Dawn — the open-source, cross-platform implementation of the WebGPU standard that Chrome uses for GPU-accelerated graphics and compute.

Use-after-free: the program frees a block of memory, then subsequently accesses that same memory location. If an attacker can control what gets written to that freed memory before the second access happens, they control what the program reads as trusted data. In a browser context, this means an attacker can overwrite function pointers or object structures inside Chrome's renderer process, redirecting execution to attacker-controlled code.

The specific attack chain: an attacker hosts a crafted HTML page containing malicious WebGPU code. A user visits the page in Chrome. The WebGPU code triggers the use-after-free in Dawn. The attacker gains code execution inside Chrome's renderer process — the sandboxed process that handles page rendering.

The phrase "compromised renderer process" in Google's advisory is the key technical qualifier. This exploit reaches code execution inside the renderer sandbox, not outside it. Chaining this with a separate sandbox escape (a second vulnerability) would give the attacker full system access. Google has not confirmed whether a sandbox escape is being used in the active exploitation chains — but CISA's KEV listing and emergency patch speed suggests the threat is treated as high-severity.

Why WebGPU Is a Growing Attack Surface

WebGPU shipped in Chrome stable in May 2023. It replaced WebGL as the primary web standard for GPU access from JavaScript — enabling high-performance graphics, machine learning inference in the browser, and general GPU compute directly from web pages.

The attack surface of WebGPU is significantly larger than WebGL. WebGL exposed a relatively narrow subset of OpenGL ES. WebGPU exposes a modern GPU programming model — compute shaders, pipeline state objects, resource binding — that is far more complex and interacts with the GPU driver at a lower level.

Dawn is the implementation Chrome, Node.js (via the Dawn bindings), and other Chromium-based browsers use. A bug in Dawn is not Chrome-specific — it is a bug in shared infrastructure used across multiple runtimes. This is the second Dawn-related security incident in 2026, following a lower-severity issue patched in February.

The developer implication: if you are building WebGPU-based applications — browser-based ML inference, GPU compute for data visualization, WebGPU game engines — your users are running this attack surface. Keeping Chrome updated is not just a user hygiene issue, it is a security property of your WebGPU application.

This Is the Fourth Chrome Zero-Day of 2026

CVE-2026-5281 is the fourth actively exploited Chrome zero-day patched by Google in 2026. The cadence is accelerating:

• Zero-day 1 (January 2026): V8 JavaScript engine type confusion — exploited by state-sponsored actors
• Zero-day 2 (February 2026): Dawn component — lower severity, limited exploitation
• Zero-day 3 (March 2026): Mojo IPC use-after-free — exploited in targeted attacks against journalists and activists
• Zero-day 4 (April 2026, CVE-2026-5281): Dawn WebGPU use-after-free — actively exploited, CISA KEV listed

Four zero-days in 91 days is not a Chrome-specific failure — it reflects the intensity of security research and active exploitation targeting the browser attack surface in 2026. Nation-state actors, criminal ransomware groups, and commercial exploit brokers are all investing heavily in browser exploits because the browser is the most universal attack surface: it runs on every OS, handles untrusted content by design, and has GPU and network access.

Who Is Exploiting It

Google has not publicly attributed the exploitation. The standard disclosure pattern: Google confirms exploitation "in the wild" without naming threat actors, patches the vulnerability, and then security researchers and intelligence agencies publish attribution analysis weeks later.

Based on the pattern of previous Dawn-related exploits and the WebGPU-specific attack surface, the likely exploitation scenarios are:

Targeted espionage: state-sponsored actors running watering hole attacks — compromising websites visited by high-value targets (journalists, government officials, defense contractors) and delivering the exploit silently when the target visits the site.

Criminal drive-by: ransomware groups embedding the exploit in malvertising campaigns — ads that execute the exploit payload when rendered in the browser without any user interaction beyond loading the page.

Exploit broker testing: commercial exploit brokers (NSO Group competitors) validating the exploit as part of a chain for mobile or desktop targeted attacks.

CISA's mandatory April 15 federal deadline suggests this is being treated as sufficiently dangerous to warrant rapid compliance enforcement, not just a standard advisory.

What Enterprise and Developer Teams Should Do

Immediate (today):

• Force-relaunch all Chrome instances across managed devices — policy deployment via Chrome Browser Cloud Management or group policy
• Verify Chromium-based browser versions (Edge, Brave) are updated
• If using Chrome in CI/CD pipelines (Puppeteer, Playwright, automated testing), update the pinned Chrome version

Within 48 hours:

• Check Node.js applications using Dawn WebGPU bindings — same underlying library, may need separate update
• Review any internal applications that use Chrome in kiosk or embedded mode — these do not auto-update without explicit management

Ongoing:

• If you run a WebGPU-based application, consider adding a client-side version check that warns users running Chrome below the patched version
• CISA KEV listings are the most reliable signal for genuine exploitation severity — subscribe to the KEV RSS feed at cisa.gov/known-exploited-vulnerabilities-catalog

Key Takeaways

• CVE-2026-5281: use-after-free in Chrome's Dawn WebGPU engine — actively exploited in wild, remote code execution inside renderer process
• Patch now: update Chrome to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux) — relaunch required, not just download
• Fourth zero-day of 2026: January, February, March, and now April — one per month, accelerating cadence
• CISA KEV deadline: April 15, 2026 for all Federal Civilian Executive Branch agencies — treat this as the outer bound for enterprise enforcement
• WebGPU attack surface is growing: Dawn is shared infrastructure across Chrome, Node.js bindings, and Chromium-based browsers — a bug in Dawn affects the entire ecosystem
• Enterprise action: force-relaunch via Chrome Browser Cloud Management, verify Edge/Brave versions, check Puppeteer/Playwright pinned Chrome versions in CI/CD