Update Now
On April 1, 2026, Google released Chrome 146.0.7680.177/.178 to fix CVE-2026-5281, a use-after-free vulnerability in Dawn that's being actively exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog the same day, with a federal remediation deadline of April 15.
This affects all Chromium-based browsers, not just Chrome. If you're running Microsoft Edge, Brave, Opera, or Vivaldi, check for updates too.
Key Facts
- CVE: CVE-2026-5281
- Severity: High (CWE-416: Use-After-Free)
- Component: Dawn (WebGPU implementation in Chromium)
- Impact: Remote code execution via crafted HTML page
- Prerequisite: Attacker must first compromise the renderer process
- Patched in: Chrome 146.0.7680.177/.178 (Windows/Mac), 146.0.7680.177 (Linux)
- CISA KEV deadline: April 15, 2026
- Reported by: Pseudonymous researcher (identifier: _86ac1f1587b71893ed2ad792cd7dde32_)
What's Dawn and Why Does It Matter
Dawn is Google's open-source implementation of the WebGPU standard. WebGPU is the successor to WebGL, giving web applications direct access to GPU hardware for graphics rendering and compute workloads. It's used by browser-based games, 3D visualisations, machine learning inference in the browser, and increasingly by AI-powered web apps.
A use-after-free in Dawn means the browser accesses GPU-related memory after it's been freed. An attacker who has already compromised Chrome's renderer process (the sandboxed process that handles web page content) can exploit this to execute arbitrary code. Depending on the specifics of the exploit chain, this could mean escaping Chrome's sandbox entirely and running code at the OS level.
Google hasn't published the full technical details yet, which is standard practice. They typically wait until a majority of users have updated before disclosing exploit specifics.
A Prolific Pseudonymous Researcher
The researcher who reported CVE-2026-5281 uses the identifier _86ac1f1587b71893ed2ad792cd7dde32_ rather than a real name. They've been busy. The same researcher reported two other vulnerabilities fixed in Chrome's March 23 update (CVE-2026-4675 and CVE-2026-4676) plus another Dawn use-after-free bug (CVE-2026-5284) that was fixed in this same April 1 release.
Four bugs from one researcher in under two weeks, all in Dawn. Either they've been doing focused fuzzing of the WebGPU surface, or they've found a pattern that keeps producing variants. Either way, expect more Dawn bugs in the near future.
Chrome's 2026 Zero-Day Streak
CVE-2026-5281 is Chrome's fourth actively exploited zero-day this year, and we're only in April. Here's the running tally:
| CVE | Date | Component | Type |
|---|---|---|---|
| CVE-2026-2441 | Feb 2026 | CSS | Use-after-free |
| CVE-2026-3909 | Mar 2026 | Skia (2D graphics) | Out-of-bounds write |
| CVE-2026-3910 | Mar 2026 | V8 (JavaScript engine) | Inappropriate implementation |
| CVE-2026-5281 | Apr 2026 | Dawn (WebGPU) | Use-after-free |
Three of the four target rendering or graphics components (CSS, Skia, Dawn). The attack surface for browser graphics has grown significantly with WebGPU adoption, and attackers are clearly paying attention. V8 has historically been the most targeted component in Chrome, but the shift toward graphics-layer exploits is a trend worth watching.
What to Do
For Users
Update Chrome. Go to chrome://settings/help and let it pull the latest version. Restart the browser. Do the same for Edge (edge://settings/help), Brave, Opera, or any other Chromium-based browser you use.
If you manage a fleet of machines, push the update through your endpoint management tool. Don't wait for auto-update to roll out on its own.
For IT and Security Teams
- Verify Chrome versions across your estate. Anything below 146.0.7680.177 is vulnerable.
- If you can't update immediately, consider disabling WebGPU via Chrome policy (
--disable-features=Vulkan,WebGPU) as a temporary mitigation. This breaks WebGPU-dependent sites but removes the attack surface. - Monitor for exploitation indicators. Google hasn't published IOCs yet, but watch for unusual renderer process crashes or unexpected GPU process behaviour in Chrome crash logs.
- FCEB agencies have until April 15 to remediate per the CISA directive.
For Developers
If you ship an Electron or Chromium Embedded Framework (CEF) app, check which Chromium version your framework bundles. You may need to update your framework dependency independently of your users' browser updates.
The Bigger Picture
Four zero-days in four months isn't unusual for Chrome. In 2024 there were ten. The pace hasn't slowed. What's changed is the attack surface. WebGPU is relatively new, and Dawn is a large, complex codebase that talks directly to GPU drivers. GPU drivers themselves have a long history of memory safety issues. The combination of a complex browser API, low-level hardware access, and fast-moving spec development creates a fertile ground for bugs.
The pseudonymous researcher finding four Dawn bugs in two weeks suggests the attack surface hasn't been fully explored yet. If one person can find that many that quickly, there are likely more waiting to be found.
For organisations, this reinforces why layered security testing and aggressive patch management matter. The same week this landed, Cisco shipped a 9.8 unauth RCE in SSM On-Prem — the pattern of unpatched enterprise software sitting on the public internet is the constant, not any one vendor. Browser vulnerabilities are one of the most common initial access vectors, and the window between disclosure and exploitation keeps shrinking. In this case, the exploit existed in the wild before the patch was released.
Keep Your Attack Surface Visible
Browser zero-days are hard to prevent, but exposed services and unpatched infrastructure don't have to be. Luna scans your external attack surface for known CVEs, misconfigurations, and exposed services across your internet-facing assets. Run a scan and see what's exposed.