New Chrome zero-day vulnerability is under active attack, and Google has already pushed a fix
4 min. read 
Published on
Google has released an emergency Chrome update to fix a zero-day vulnerability that attackers are already exploiting in the wild. The flaw, tracked as CVE-2026-5281, affects Dawn, the graphics component Chrome uses for WebGPU, and Google says users should update as soon as the patch reaches their devices.
The patched versions are 146.0.7680.177 or 146.0.7680.178 for Windows and Mac, and 146.0.7680.177 for Linux. Google published the update on March 31, 2026, and said the rollout will continue over the coming days and weeks, which means some users may not see it immediately unless they check manually.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This issue matters because Google has confirmed real-world exploitation, not just a theoretical risk. In its release note, the company said it is aware that an exploit for CVE-2026-5281 exists in the wild, while NVD describes the bug as a use-after-free flaw that could let an attacker execute arbitrary code through a crafted HTML page after compromising the renderer process.
What CVE-2026-5281 does
CVE-2026-5281 is a high-severity use-after-free bug in Dawn. Dawn is part of Chrome’s WebGPU stack, which helps modern web apps and sites handle advanced graphics tasks more efficiently.
In practical terms, use-after-free flaws can let attackers corrupt memory after the browser has released it. That kind of bug can sometimes lead to crashes, data exposure, or code execution, depending on how the exploit chain works and what other protections the attacker can bypass.
Google has not published full technical details yet, and that is deliberate. The company said it may keep bug details and links restricted until most users receive the fix, which is standard practice when active exploitation is already underway.
This patch fixes more than one problem
The emergency Chrome release does not only address the zero-day. Google said this desktop update includes 21 security fixes in total, making this a wider security update rather than a one-bug hotfix.
Several of the patched issues are rated high severity and affect major Chrome components such as GPU, CSS, Codecs, ANGLE, WebUSB, Web MIDI, V8, WebCodecs, Dawn, WebGL, PDF, WebView, Navigation, and Compositing. That broad spread shows how many attack surfaces modern browsers expose across graphics, media, JavaScript, and rendering features.
Google’s published list also shows that some of the bugs came from internal discovery, not only outside researchers. Three high-severity issues in this release, including flaws in WebView, Navigation, and Compositing, were reported by Google itself.
Versions and risk at a glance
| Platform | Patched version |
|---|---|
| Windows | 146.0.7680.177 / 146.0.7680.178 |
| Mac | 146.0.7680.177 / 146.0.7680.178 |
| Linux | 146.0.7680.177 |
| Key detail | Status |
|---|---|
| Zero-day tracked as | CVE-2026-5281 |
| Bug type | Use-after-free |
| Affected component | Dawn / WebGPU |
| Exploited in the wild | Yes |
| Google advisory date | March 31, 2026 |
| Added to CISA KEV | Yes |
Why this patch deserves priority
This is not a routine browser update you should leave for later. CISA has already added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog, which means U.S. federal agencies must address it by April 15, 2026 under Binding Operational Directive 22-01.
That CISA action usually signals a higher level of urgency for enterprise defenders, even outside government. Once a bug lands in KEV, security teams often treat it as a priority because confirmed exploitation means attackers already know how to weaponize it.
For regular users, the advice stays simple: update Chrome, restart it, and make sure the new version actually installed. For businesses, patching through endpoint management tools makes more sense, especially if users delay browser restarts.
What users and admins should do now
- Open Chrome
- Click the three-dot menu
- Go to <strong>Help</strong>
- Click <strong>About Google Chrome</strong>
- Let Chrome download the latest update
- Restart the browser when prompted
- Confirm the browser now shows version 146.0.7680.177 or 146.0.7680.178, depending on platform
For IT teams, the immediate checklist looks like this:
- Push the latest Chrome build through your management platform
- Verify restart compliance on managed endpoints
- Watch for systems stuck on older 146 builds or earlier
- Prioritize high-risk groups such as admins, developers, and users with elevated access
- Check whether other Chromium-based browsers in your environment have published matching fixes
Frequently asked questions
It is a high-severity use-after-free vulnerability in Dawn, part of Chrome’s WebGPU implementation. Google says attackers are already exploiting it in the wild.
Google says the fix arrives in version 146.0.7680.177 or 146.0.7680.178 for Windows and Mac, and 146.0.7680.177 for Linux.
Yes. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026.
No. Google said the rollout will happen over days and weeks, so managed environments should push the update directly instead of waiting.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages