Google fixed a new Chrome zero-day, tracked as CVE-2026-5281, in the WebGPU Dawn component that is already exploited in the wild.
Google released Chrome updates fixing 21 vulnerabilities, including a new actively exploited zero-day tracked as CVE-2026-5281. The flaw is a use-after-free bug in Dawn, the WebGPU component used for graphics processing.
Due to ongoing exploitation, the company urges users to update their browsers immediately to reduce the risk of attacks.
“Google is aware that an exploit for CVE-2026-5281 exists in the wild.” reads the advisory.
A use-after-free (UAF) bug is a type of memory error where a program continues to use a piece of memory after it has already been freed (released).
EXPLORE MORE
It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies
A critical Telegram flaw could allow zero-click remote code execution on devices,…
Dutch Ministry of Finance takes treasury systems offline amid cyber incident investigation
The Dutch Ministry of Finance took treasury banking portal offline after a…
Operation Epic Fury: The $11 Billion Price Tag of US Air Superiority
A new report from the Center for Strategic and International Studies (CSIS)…
What is a ‘Metroidvania’? The Secret Recipe for Your Favorite Games
If you spend any time reading about games like Hollow Knight, Ori,…
The European Commission confirmed a cyberattack affecting part of its cloud systems
The European Commission confirmed a cyberattack affecting part of its cloud systems,…
Precision Strike Severs Tehran-Karaj Link
In one of the most visually devastating moments of the 2026 conflict,…
Attackers can exploit use-after-free bugs to crash applications, execute malicious code, or take control of a system. Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
As usual, Google did not reveal technical details of the attacks exploiting this flaw or the type of attackers involved, to give users time to update and prevent others from exploiting it.
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
- February 2026 – CVE-2026-2441 – Use after free in CSS
- March 2026 – CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and CVE-2026-3910 (CVSS score: 8.8) – Flaw in the implementation of the V8 JavaScript/WebAssembly engine
