Key Takeaway
Google patched CVE-2026-5281, an actively exploited use-after-free zero-day in Dawn, Chrome's WebGPU implementation, as part of a 21-vulnerability Chrome security update. The high-severity flaw allows remote attackers to compromise the browser renderer via a malicious webpage, with no authentication or user interaction beyond page load required. All Chrome users and administrators should update to the latest stable release immediately.
CVE-2026-5281: Chrome Zero-Day Use-After-Free in Dawn WebGPU Component Exploited in the Wild
Affected Product: Google Chrome (all platforms prior to the patched release)
Vulnerability Overview
Google released a Chrome security update addressing 21 vulnerabilities, including an actively exploited zero-day tracked as CVE-2026-5281. The flaw carries a high severity rating; Google has not published a CVSS score at this time.
The vulnerability is a use-after-free (UAF) bug residing in Dawn, Google's open-source, cross-platform implementation of the WebGPU standard. WebGPU is a modern graphics API exposed to web content, allowing browsers to interface with GPU hardware for accelerated rendering and compute workloads.
Use-after-free vulnerabilities occur when a program continues to reference a memory region after it has been freed. Depending on heap layout and timing, an attacker can manipulate that freed memory to redirect execution flow, corrupt data structures, or achieve arbitrary code execution within the browser's renderer process.
Because Dawn is a cross-platform library, the attack surface spans Chrome on Windows, macOS, and Linux. Any user or system running an unpatched version of Chrome that renders WebGPU content is exposed.
Attack Vector and Exploitation
The attack vector is remote and requires no authentication. A user visiting a malicious or compromised webpage that serves crafted WebGPU content can trigger the vulnerability. No file download, no elevated privileges, and no additional user interaction beyond page load is required in a typical exploitation scenario.
Google confirmed in its advisory that an exploit for CVE-2026-5281 exists and has been used in the wild, though the company has not publicly attributed the exploitation to a specific threat actor or campaign at the time of disclosure. Details of observed exploitation targets have been withheld to allow the majority of users to update before additional technical information circulates.
UAF bugs in GPU-adjacent browser components have historically been chained with sandbox escape vulnerabilities to achieve full remote code execution outside the browser sandbox. Security teams should treat this vulnerability as a potential component of a multi-stage exploit chain until further analysis confirms otherwise.
Scope and Real-World Impact
Chrome holds the dominant share of the desktop browser market, making vulnerabilities in the browser a high-value target. Enterprise environments that rely on Chrome as a standard browser—particularly those using web-based SaaS applications that leverage WebGPU for rendering or ML inference—face elevated risk.
Successful exploitation can result in:
- Renderer process compromise, enabling an attacker to read and write memory within the Chrome renderer sandbox
- Potential sandbox escape if chained with a secondary privilege escalation bug
- Credential theft, session hijacking, or malware delivery depending on the attacker's payload and follow-on capabilities
- Data exfiltration from any content loaded in the compromised browser context
Organizations running Chrome in kiosk mode, on shared workstations, or in environments where users regularly browse external or untrusted web content face the highest operational risk.
Patch and Mitigation Guidance
1. Update Chrome Immediately
Google has released a patched version of Chrome that resolves CVE-2026-5281 along with the other 20 vulnerabilities addressed in this update cycle. Administrators and end users should update Chrome to the latest stable channel release without delay.
To verify and trigger an update manually:
- Navigate to
chrome://settings/help - Chrome will check for and apply available updates
- Restart the browser to complete the process
2. Enterprise Deployment
Enterprise administrators using Google Admin console, Microsoft Intune, or third-party patch management platforms should push the updated Chrome package immediately. Prioritize endpoints with unrestricted internet access and those used by personnel in high-risk roles such as finance, legal, and executive staff.
3. Chromium-Based Browsers
Dawn is also used by other Chromium-derived browsers. Teams running Microsoft Edge, Brave, Opera, or other Chromium-based products should monitor those vendors' advisory channels for corresponding patches and apply updates as they become available.
4. Threat Detection
SOC teams should review proxy and endpoint logs for anomalous browser activity, particularly renderer crashes or unexpected child process spawning from Chrome, which can indicate exploitation attempts. Enable crash reporting telemetry where policy allows to assist in identifying targeted activity.
5. WebGPU Restrictions (Temporary)
In high-sensitivity environments where immediate patching is not possible, administrators can disable WebGPU via Chrome enterprise policy flags as a temporary risk reduction measure. This will impact any web applications dependent on WebGPU functionality.
References
- Google Chrome Releases Blog: Stable Channel Update
- CVE-2026-5281 — NVD entry (pending full scoring)
- Dawn Project Repository: https://dawn.googlesource.com/dawn
Original Source
The Hacker News
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.