Google Addresses Zero-day Vulnerability Exploited in the Wild (CVE-2026-5281)

Posted by Author Diksha Ojha on Posted on

Google released an urgent security advisory to address a vulnerability being exploited in the wild. CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared. Attackers can leverage this to execute arbitrary code or bypass critical security boundaries on a victim’s machine.

CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before April 15, 2026.

CVE-2026-5281 is the fourth zero-day vulnerability patched by Google since the start of the year. The list includes:

Google addressed 20 other vulnerabilities with the zero-day. The list includes:

  1. CVE-2026-5273: Use-after-free in CSS. 
  2. CVE-2026-5272: Heap buffer overflow in GPU. 
  3. CVE-2026-5274: Integer overflow in Codecs. 
  4. CVE-2026-5275: Heap buffer overflow in ANGLE. 
  5. CVE-2026-5276: Insufficient policy enforcement in WebUSB. 
  6. CVE-2026-5277: Integer overflow in ANGLE. 
  7. CVE-2026-5278: Use-after-free in Web MIDI. 
  8. CVE-2026-5279: Object corruption in V8. 
  9. CVE-2026-5280: Use-after-free in WebCodecs. 
  10. CVE-2026-5282: Out-of-bounds read in WebCodecs. 
  11. CVE-2026-5283: Inappropriate implementation in ANGLE. 
  12. CVE-2026-5284: Use after free in Dawn. 
  13. CVE-2026-5285: Use-after-free in WebGL. 
  14. CVE-2026-5286: Use after free in Dawn. 
  15. CVE-2026-5287: Use-after-free in PDF. 
  16. CVE-2026-5288: Use-after-free in WebView. 
  17. CVE-2026-5289: Use-after-free in Navigation. 
  18. CVE-2026-5290: Use after free in Compositing. 
  19. CVE-2026-5291: Inappropriate implementation in WebGL. 
  20. CVE-2026-5292: Out-of-bounds read in WebCodecs.

Affected Versions

The vulnerability affects Google Chrome versions before 146.0.7680.177.

Mitigation

Customers must upgrade to the latest stable channel version 146.0.7680.177/178 for Windows/Mac and 146.0.7680.177 for Linux.

For more information, please refer to the Google Chrome Release Page.

Microsoft has released Microsoft Edge Stable Channel (Version 146.0.3856.97) to address CVE-2026-5281, a vulnerability the Chromium team has reported as being exploited in the wild.

Qualys Detection

Qualys customers can scan their devices with QIDs 386954 and 386965 to detect vulnerable assets.

 Rapid Response with TruRisk™ Eliminate

Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html

Author: Diksha Ojha

Senior Technical Writer

Leave a Reply

Your email address will not be published. Required fields are marked *