Google Addresses Zero-day Vulnerability Exploited in the Wild (CVE-2026-5281)

Google has issued an urgent security advisory addressing CVE-2026-5281, a critical zero-day vulnerability actively exploited in the wild. This use-after-free flaw exists within Dawn, the open-source implementation of the WebGPU standard, allowing attackers to execute arbitrary code or bypass security boundaries on victim machines. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging immediate patching before April 15, 2026. Qualys assigned a high vulnerability score of 95 due to active exploitation. This marks the fourth zero-day patched by Google this year. Affected Chrome versions prior to 146.0.7680.177 require immediate updates. Microsoft Edge users must also update to version 146.0.3856.97. Organizations should prioritize patching to mitigate risks associated with memory corruption flaws leveraging WebGPU components. Automated patching solutions are recommended to ensure timely remediation across environments.

Google released an urgent security advisory to address a vulnerability being exploited in the wild. CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared. Attackers can leverage this to execute arbitrary code or bypass critical security boundaries on a … Continue reading "Google Addresses Zero-day Vulnerability Exploited in the Wild (CVE-2026-5281)"

Google has issued an urgent security advisory addressing CVE-2026-5281, a critical zero-day vulnerability actively exploited in the wild. This use-after-free flaw exists within Dawn, the open-source implementation of the WebGPU standard, allowing attackers to execute arbitrary code or bypass security boundaries on victim machines. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging immediate patching before April 15, 2026. Qualys assigned a high vulnerability score of 95 due to active exploitation. This marks the fourth zero-day patched by Google this year. Affected Chrome versions prior to 146.0.7680.177 require immediate updates. Microsoft Edge users must also update to version 146.0.3856.97. Organizations should prioritize patching to mitigate risks associated with memory corruption flaws leveraging WebGPU components. Automated patching solutions are recommended to ensure timely remediation across environments. Google released an urgent security advisory to address a vulnerability being exploited in the wild. CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared. Attackers can leverage this to execute arbitrary code or bypass critical security boundaries on a … Continue reading "Google Addresses Zero-day Vulnerability Exploited in the Wild (CVE-2026-5281)" Google released an urgent security advisory to address a vulnerability being exploited in the wild. CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared. Attackers can leverage this to execute arbitrary code or bypass critical security boundaries on a victim’s machine. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog . CISA urges users to patch the vulnerability before April 15, 2026. Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-5281. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more. CVE-2026-5281 is the fourth zero-day vulnerability patched by Google since the start of the year. The list includes: CVE-2026-2441 CVE-2026-3909 CVE-2026-3910 Google addressed 20 other vulnerabilities with the zero-day. The list includes: CVE-2026-5273: Use-after-free in CSS. CVE-2026-5272: Heap buffer overflow in GPU. CVE-2026-5274: Integer overflow in Codecs. CVE-2026-5275: Heap buffer overflow in ANGLE. CVE-2026-5276: Insufficient policy enforcement in WebUSB. CVE-2026-5277: Integer overflow in ANGLE. CVE-2026-5278: Use-after-free in Web MIDI. CVE-2026-5279: Object corruption in V8. CVE-2026-5280: Use-after-free in WebCodecs. CVE-2026-5282: Out-of-bounds read in WebCodecs. CVE-2026-5283: Inappropriate implementation in ANGLE. CVE-2026-5284: Use after free in Dawn. CVE-2026-5285: Use-after-free in WebGL. CVE-2026-5286: Use after free in Dawn. CVE-2026-5287: Use-after-free in PDF. CVE-2026-5288: Use-after-free in WebView. CVE-2026-5289: Use-after-free in Navigation. CVE-2026-5290: Use after free in Compositing. CVE-2026-5291: Inappropriate implementation in WebGL. CVE-2026-5292: Out-of-bounds read in WebCodecs. Affected Versions The vulnerability affects Google Chrome versions before 146.0.7680.177 . Mitigation Customers must upgrade to the latest stable channel version 146.0.7680.177/178 for Windows/Mac and 146.0.7680.177 for Linux . For more information, please refer to the Google Chrome Release Page . Microsoft has released Microsoft Edge Stable Channel ( Version 146.0.3856.97 ) to address CVE-2026-5281, a vulnerability the Chromium team has reported as being exploited in the wild. Qualys Detection Qualys customers can scan their devices with QIDs 386954 and 386965 to detect vulnerable assets. Rapid Response with TruRisk Eliminate Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this. Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly. Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities. References https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html