Google released an emergency Chrome update today patching 21 vulnerabilities, including CVE-2026-5281 — a use-after-free in Dawn, Chrome’s WebGPU implementation, that’s already being exploited in the wild. This is the fourth actively weaponized Chrome zero-day since January.

What Happened

CVE-2026-5281 is a use-after-free (UAF) vulnerability in Dawn, the open-source, cross-platform implementation of the WebGPU standard that Chrome uses for GPU-accelerated rendering. An attacker who has already compromised the renderer process can exploit this bug to execute arbitrary code via a specially crafted HTML page.

The vulnerability was reported by a pseudonymous researcher (86ac1f1587b71893ed2ad792cd7dde32) who has previously disclosed multiple Chrome bugs.

What’s Vulnerable

  • Chrome for Windows/macOS: versions before 146.0.7680.178
  • Chrome for Linux: versions before 146.0.7680.177
  • Any Chromium-based browser shipping the affected Dawn component (Edge, Brave, etc.)

Why This Matters

WebGPU is a relatively new attack surface. Dawn handles direct GPU memory management, and use-after-free bugs in this layer can give attackers a powerful primitive for sandbox escape chains. The fact that this is Chrome’s fourth in-the-wild zero-day this year signals that browser exploitation — particularly targeting GPU and rendering subsystems — is an active area of investment for threat actors.

For infrastructure teams, the risk is real even if this isn’t a server-side CVE. Engineers routinely access cloud consoles, CI/CD dashboards, and internal admin panels through Chrome. A compromised browser session is a direct path to credentials, session tokens, and infrastructure control planes.

What to Do

  • Update Chrome immediately to 146.0.7680.177 (Linux) or 146.0.7680.178 (Windows/macOS). Go to chrome://settings/help to force the update and restart.
  • Push updates through your fleet management if you’re managing Chrome via enterprise policies (GCPW, Intune, etc.). Don’t wait for auto-update to roll.
  • Audit Chromium-based browsers in your environment — Edge, Brave, and Electron apps bundling Chromium may ship the vulnerable Dawn code. Check downstream advisories.
  • Review browser isolation posture — if you’re not running a browser isolation layer for access to sensitive admin panels, this is a good reminder of why you should be.