Chrome’s New High‑Severity 0‑Day: CVE‑2026‑5281 Exploited in the Wild

Event Overview

On 2026‑04‑01 Google issued an emergency security update that patches a high‑severity vulnerability in Chrome identified as CVE‑2026‑5281. The flaw is a Use‑After‑Free (UAF) type located in the WebGPU implementation layer Dawn. Google confirmed that the vulnerability is being exploited in the wild, making it the fourth actively exploited Chrome zero‑day reported in 2026.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on the same day and required federal civilian agencies to apply the fix by 2026‑04‑15.

Technical Analysis

Basic Vulnerability Information

CVE ID: CVE‑2026‑5281

Type: Use‑After‑Free

Affected Component: Dawn (WebGPU cross‑platform implementation)

Affected Versions: Chrome < 146.0.7680.177/178 on Windows/macOS; Chrome < 146.0.7680.177 on Linux

Fixed Versions: 146.0.7680.177/178 (Windows/macOS) and 146.0.7680.177 (Linux)

CVSS v3.1 Score: 8.8 (High)

Exploitation Status: Confirmed in the wild

Dawn Component and WebGPU Architecture

Dawn is the open‑source implementation of the WebGPU standard within the Chromium project. It mediates GPU‑accelerated rendering tasks by managing the lifecycle of GPU resources such as buffers, textures, and pipelines. Dawn abstracts platform‑specific graphics APIs (Vulkan, Metal, DirectX 12) to provide a uniform interface for WebGPU, which makes memory‑safety bugs particularly risky.

Use‑After‑Free Mechanism

The UAF arises from improper object‑lifecycle management: after a GPU object is freed, a dangling pointer may remain. When the program later dereferences that pointer, undefined behavior occurs.

In Dawn, the specific trigger sequence involves:

Object memory is released back to the heap allocator.

Other code paths still hold a valid pointer to the freed memory.

An attacker‑controlled WebGPU call sequence accesses the dangling pointer before the memory is reallocated.

The control flow is hijacked, enabling arbitrary code execution.

According to the NVD description, a remote attacker who already controls the renderer process can execute arbitrary code via a crafted HTML page, potentially achieving privilege escalation or sandbox escape.

Attack Vector Analysis

Exploitation requires:

The target runs a vulnerable Chrome version.

The victim is lured to a malicious webpage.

The attacker first gains renderer‑process control (e.g., via a separate JavaScript‑engine vulnerability).

The attack flow consists of:

Initial intrusion: Phishing link, malicious ad, or compromised site delivers the malicious page.

Renderer compromise: An independent renderer vulnerability (such as a V8 bug) grants code execution in the renderer.

UAF trigger: Crafted WebGPU API calls create and then destroy a GPU object while a dangling reference is still reachable.

Memory layout control: Heap spraying or grooming ensures attacker‑controlled data occupies the freed slot.

Code execution: Overwrites a vtable pointer or return address to run shellcode.

Sandbox escape (optional): Additional exploits bypass Chrome’s sandbox layers to gain system‑level privileges.

Wild Exploitation Landscape

Google’s advisory uses the standard “known‑exploited” phrasing, indicating active attacks but withholding technical details to avoid aiding other attackers. CISA’s inclusion of the CVE in the KEV catalog confirms real‑world use against U.S. government systems.

Since 2026, Chrome has patched four zero‑days that were actively exploited, illustrating a growing trend of sophisticated attacks targeting complex browser components such as graphics rendering and JavaScript engines.

Reproduction Technical Analysis

Reproduction Environment Setup

Note: The steps are for security‑research and defensive purposes only.

Operating System: Windows 10/11, macOS, or Linux

Target Browser: Chrome 146.0.7680.176 or earlier

GPU: Any WebGPU‑capable graphics card (e.g., NVIDIA GTX 10 series+, AMD RX series, Intel Iris Xe+)

Reproduction Steps Overview

Obtain a vulnerable Chrome build

Download the specific version from the Chrome Enterprise archive.

Disable automatic updates.

Understand Dawn’s WebGPU implementation

Source code resides in third_party/dawn within the Chromium tree.

Key objects include wgpu::Buffer, wgpu::Texture, and wgpu::Device, which use reference counting and explicit destroy() calls.

Construct trigger conditions

Create GPU objects via JavaScript WebGPU calls.

Invoke destroy() on an object at a precise moment.

Access the object again before the heap re‑allocates the memory.

Validate the exploit

Observe a browser crash.

Use an AddressSanitizer‑built Chromium to detect UAF accesses.

Analyze crash logs to confirm the Use‑After‑Free nature.

Technical Limitations and Challenges

Unknown trigger path: Exact API sequences and timing conditions are not publicly disclosed.

Complex memory layout: Modern browsers employ PartitionAlloc with randomization and isolation, raising exploitation difficulty.

Sandbox constraints: Even if UAF is triggered, executing arbitrary code is limited by Chrome’s multi‑layer sandbox architecture.

Detection and Debugging Methods

Researchers can employ static and dynamic analysis:

Static analysis: Review Dawn source for object‑lifecycle logic, focusing on RefCounted usage and destroy() implementations.

Dynamic analysis: Attach WinDbg or GDB to the renderer process, set breakpoints on key allocation/free functions, and monitor GPU object creation/destruction events.

Fuzzing: Use the WebGPU Conformance Test Suite (CTS) as a base and build a dedicated fuzzer for Dawn APIs, optionally instrumented with AddressSanitizer.

Impact Assessment

Affected Versions

Windows/macOS: all versions prior to 146.0.7680.177

Linux: all versions prior to 146.0.7680.177

Derived Impact

Because Dawn is an open‑source component of Chromium, other Chromium‑based browsers are also affected:

Microsoft Edge – patch pending

Brave – monitor official updates

Opera – monitor official updates

Vivaldi – patch released

Risk Rating

CVSS 3.1 scores the vulnerability at 8.8 (High). The attack vector is network‑based, complexity is low, no special privileges are required, and user interaction (visiting a malicious page) is needed. Successful exploitation can affect confidentiality, integrity, and availability of the host system, and may enable sandbox escape.

Defensive and Mitigation Measures

Immediate Actions

Update Chrome immediately

Open Chrome menu → Help → About Google Chrome.

Allow the browser to check for and install updates.

Restart Chrome and verify the version is ≥ 146.0.7680.177 (Linux) or ≥ 146.0.7680.177/178 (Windows/macOS).

Enable automatic updates

Ensure Chrome’s auto‑update feature is active.

Enterprise environments can use Google Update or Microsoft Endpoint Configuration Manager for centralized deployment.

Temporary Mitigations (Enterprise)

Disable WebGPU

Via Chrome enterprise policy: set Software\Policies\Google\Chrome\DefaultWebGpuAdapter = 0 Or launch Chrome with the flag --disable-webgpu Enable site isolation

Ensure the flag chrome://flags/#enable-site-per-process is enabled.

Strengthen network filtering

Deploy web‑filtering solutions to block known malicious domains.

Monitor abnormal GPU‑process activity.

Detection & Response

Monitor for unexpected Chrome renderer crashes, especially those involving GPU processes.

Use EDR tools to detect anomalous memory allocation patterns in the renderer.

Watch for suspicious outbound connections originating from browser processes.

References

Google Chrome release notes: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html

NVD vulnerability details: https://nvd.nist.gov/vuln/detail/CVE-2026-5281

CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog