Google Patches Fourth Chrome Zero-Day of 2026 — CVE-2026-5281 Actively Exploited in the Wild

Summary

Google has released an emergency Chrome update to patch CVE-2026-5281, a high-severity use-after-free vulnerability in Dawn, the open-source WebGPU implementation used in Chromium. The flaw allows remote code execution through a specially crafted HTML page if the renderer process is compromised, and Google has confirmed active exploitation in the wild.

This marks the fourth Chrome zero-day patched by Google in 2026. The fix shipped on March 31 in Chrome versions 146.0.7680.177/178 for Windows and macOS, and 146.0.7680.177 for Linux. The vulnerability was initially reported on March 10 by an anonymous researcher. Google is withholding technical details while users update.

The update also addresses 20 additional vulnerabilities across Chrome’s codebase.

Sources

• Help Net Security — Google Chrome Zero-Day CVE-2026-5281
• BleepingComputer — Google Fixes Fourth Chrome Zero-Day
• SecurityWeek — Exploited Zero-Day Among 21 Vulnerabilities Patched

Commentary

Four Chrome zero-days in under four months is a pace that should concern everyone. WebGPU-related vulnerabilities are particularly interesting because they sit at the intersection of GPU access and web content — a growing attack surface as browsers take on more compute-heavy workloads with AI inference, gaming, and graphics processing happening directly in the browser.

The use-after-free class of bugs continues to dominate Chrome’s vulnerability landscape despite years of memory safety improvements. If you’re running Chrome, update immediately — chrome://settings/help will force the check. Enterprise admins should push the update through their management consoles today.