Google fixes fourth actively exploited Chrome zero-day of 2026

Google fixed a new Chrome zero-day, tracked as CVE-2026-5281, in the WebGPU Dawn component that is already exploited in the wild.

Google released Chrome updates fixing 21 vulnerabilities, including a new actively exploited zero-day tracked as CVE-2026-5281. The flaw is a use-after-free bug in Dawn, the WebGPU component used for graphics processing.

Due to ongoing exploitation, the company urges users to update their browsers immediately to reduce the risk of attacks.

“Google is aware that an exploit for CVE-2026-5281 exists in the wild.” reads the advisory.

A use-after-free (UAF) bug is a type of memory error where a program continues to use a piece of memory after it has already been freed (released).

Attackers can exploit use-after-free bugs to crash applications, execute malicious code, or take control of a system. Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).

As usual, Google did not reveal technical details of the attacks exploiting this flaw or the type of attackers involved, to give users time to update and prevent others from exploiting it.

CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:

• February 2026 – CVE-2026-2441 – Use after free in CSS
• March 2026 – CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and CVE-2026-3910 (CVSS score: 8.8) – Flaw in the implementation of the V8 JavaScript/WebAssembly engine

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)