Google fixes Chrome zero-day with in-the-wild exploit (CVE-2026-5281)

Google has fixed 21 vulnerabilities affecting its popular Chrome browser, among them a zero-day (CVE-2026-5281) with an in-the-wild exploit.

About CVE-2026-5281

As per usual, information about the fixed zero-day is limited, and there’s no details about the exploit (or how/if it’s being used by attackers).

CVE-2026-5281’s official description says it’s a use-after-free (UAF) vulnerability in Dawn, an open-source and cross-platform implementation of the WebGPU standard that’s used in Chromium and Chromium-based browsers.

The vulnerability affects Chrome versions before v146.0.7680.177/178 for Windows/Mac, and before v146.0.7680.177 for Linux.

It allows “a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.”

CVE-2026-5281 was flagged by a pseudonymous bug hunter (86ac1f1587b71893ed2ad792cd7dde32), who previously reported two vulnerabilities that have been fixed in the Chrome update released on March 23, 2026: a heap buffer overflow in WebGL (CVE-2026-4675) and another use-after-free bug in Dawn (CVE-2026-4676).

The bug hunter also reported a third use-after-free in Dawn (CVE-2026-5284) that has been fixed this time around.

CVE-2026-5281 fixes for other Chromium-based browsers

Chrome users that rely on manual updating are advised to get on it. Those who have opted for auto-updating option will received it automatically and need only to restart the browser once the update becomes available.

Chromium-based Vivaldi has already pushed out the fix, while Microsoft is working on releasing one for its Edge browser.

Earlier this month, Google announced that starting in September 2026, the beta and stable versions of Chrome will be released once every two weeks, to minimize disruption and to deliver new features, improvements and bug fixes faster.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!