Chrome Zero-Day CVE-2026-5281 Exploited, Patch Available
▼ Summary
– Google released a Chrome security update addressing 21 vulnerabilities, including an actively exploited zero-day flaw.
– The exploited vulnerability, CVE-2026-5281, is a high-severity use-after-free bug in the Dawn WebGPU component.
– Google has now patched four actively exploited Chrome zero-day vulnerabilities since the start of the year.
– Users should update Chrome to version 146.0.7680.177/178 for protection, with similar updates advised for other Chromium-based browsers.
– The U.S. cybersecurity agency CISA has added this flaw to its catalog, requiring federal agencies to apply fixes by April 15, 2026.
Google has issued a critical security update for its Chrome browser, patching a total of 21 vulnerabilities. Among these is a high-severity zero-day flaw, tracked as CVE-2026-5281, which the company confirms is already being actively exploited. This marks the fourth such actively weaponized vulnerability addressed in Chrome since the beginning of this year.
The specific issue is a use-after-free bug located within Dawn, the open-source implementation of the WebGPU standard. According to the National Vulnerability Database, this flaw could allow a remote attacker who has already compromised the browser’s renderer process to execute arbitrary code through a specially crafted HTML page. Google has deliberately withheld technical details about the ongoing attacks to prevent wider exploitation while most users install the patch.
This urgent update follows closely on the heels of recent fixes for two other high-severity zero-days, CVE-2026-3909 and CVE-2026-3910, which were also being exploited. In February, Google resolved a similar actively exploited use-after-free bug in Chrome’s CSS component, identified as CVE-2026-2441. The consistent appearance of these vulnerabilities underscores the persistent targeting of the world’s most popular web browser.
To secure their systems, users must update Chrome immediately. The patched versions are 146.0.7680.177/178 for Windows and macOS, and 146.0.7680.177 for Linux. The update process is straightforward: navigate to More > Help > About Google Chrome in the browser’s menu. If an update is pending, the page will display it, and users should select the option to Relaunch the browser to complete the installation.
The urgency of this patch has been formally recognized by U. S. authorities. On April 1, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog. This action mandates all Federal Civilian Executive Branch agencies to apply the Chrome fix by April 15, 2026.
Users of other browsers built on the Chromium engine, including Microsoft Edge, Brave, Opera, and Vivaldi, should remain vigilant. They are strongly advised to apply any corresponding security updates from their respective vendors as soon as those patches are released.
(Source: Internet)
