CISA warns of actively exploited Chrome zero-day as Google ships fix

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

CISA has added a newly exploited Chrome vulnerability, CVE-2026-5281, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to address it by April 15, 2026. The flaw affects Google Dawn, the open-source WebGPU component used by Chromium, and Google says it has already seen an exploit for the bug in the wild.

Google patched the issue in Chrome 146.0.7680.177/.178 for Windows and Mac and 146.0.7680.177 for Linux on March 31, 2026. In its release notes, Google identified CVE-2026-5281 as a high-severity use-after-free bug in Dawn and said details would remain restricted until more users received the fix.

BEST SPRING 2026 DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

For users and IT teams, the message is simple: update Chrome now. Because the flaw sits in Chromium’s graphics stack rather than in a Chrome-only feature, other Chromium-based browsers may also need updates from their own vendors. Vivaldi, for example, said its April 1 desktop and Android updates include a fix for CVE-2026-5281 and noted that the vulnerability has a known exploit in the wild.

What CISA and Google are saying

CISA’s KEV entry describes CVE-2026-5281 as a Google Dawn use-after-free vulnerability that could let a remote attacker who first compromised the browser renderer process execute arbitrary code via a crafted HTML page. The agency added the bug to the KEV catalog on April 1 and set an April 15 remediation deadline for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01.

Google’s advisory confirms the technical root cause. The company lists CVE-2026-5281 as a high-severity use-after-free in Dawn, credits the report to a researcher on March 10, 2026, and states that an exploit exists in the wild.

That combination makes this more urgent than a routine browser fix. A KEV listing means CISA has enough evidence of real-world abuse to require action across federal networks, and Google’s wording removes any doubt that attackers are already trying to use the bug.

Why the flaw matters beyond Chrome

CVE-2026-5281 lives in Dawn, which Chromium uses for WebGPU-related functionality. That means the risk does not stop with Chrome alone. Browsers built on Chromium often need to pull in the same upstream fixes before users are fully protected.

We already have one clear example. Vivaldi said both its desktop and Android updates released on April 1 upgraded to Chromium 146.0.7680.182 and included a fix for CVE-2026-5281, explicitly noting that the vulnerability had a known exploit in the wild.

That does not automatically confirm patch status for every Chromium-based browser on the same day. It does show that downstream vendors needed to ship their own updates, which is why organizations should check each browser they allow on managed systems rather than assuming a Chrome patch covers the full fleet.

What organizations should do now

ActionWhy it matters
Update Chrome immediatelyGoogle’s patched versions close CVE-2026-5281.
Check Chromium-based browsers separatelyEach vendor needs to ship its own update.
Prioritize patch deployment in enterprise cyclesCISA has classified the flaw as actively exploited.
Review browser inventory on endpointsMixed browser environments may leave gaps after a Chrome-only update.
Subscribe to KEV and vendor advisoriesThis helps teams react faster to future exploited browser bugs.

Quick facts

  • CVE: CVE-2026-5281
  • Component: Google Dawn / WebGPU stack in Chromium
  • Bug type: Use-after-free
  • Exploitation status: Exploit exists in the wild
  • Google Chrome fixed versions: 146.0.7680.177/.178 for Windows and Mac, 146.0.7680.177 for Linux
  • CISA KEV date added: April 1, 2026
  • CISA due date for FCEB agencies: April 15, 2026

FAQ

What is CVE-2026-5281?

It is a high-severity use-after-free vulnerability in Google Dawn, the Chromium WebGPU component. Google patched it in Chrome 146.0.7680.177/.178 for desktop platforms, and CISA later added it to the KEV catalog as actively exploited.

Is the flaw being exploited right now?

Yes. Google said it is aware that an exploit for CVE-2026-5281 exists in the wild, and CISA’s KEV inclusion reflects active exploitation.

Are other Chromium browsers affected?

Potentially yes, because the flaw is in Chromium’s Dawn component. At least one downstream vendor, Vivaldi, has already shipped updates that specifically mention CVE-2026-5281.

What should users do?

Update Chrome right away and check for updates in any Chromium-based browser you use. In managed environments, admins should treat browser patching as urgent and verify version coverage across all endpoints.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages