Google Addresses Zero-day Vulnerability Exploited in the Wild (CVE-2026-5281)

Google released an urgent security advisory to address a vulnerability being exploited in the wild. CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared. Attackers can leverage this to execute arbitrary code or bypass critical security boundaries on a victim’s machine.

CVE-2026-5281 is the second zero-day vulnerability patched by Google since start of the year. CVE-2026-2441 was the first zero-day that Google patched this year.

Google addressed 20 other vulnerabilities with the zero-day. The list includes:

1. CVE-2026-5273: Use after free in CSS. 
2. CVE-2026-5272: Heap buffer overflow in GPU. 
3. CVE-2026-5274: Integer overflow in Codecs. 
4. CVE-2026-5275: Heap buffer overflow in ANGLE. 
5. CVE-2026-5276: Insufficient policy enforcement in WebUSB. 
6. CVE-2026-5277: Integer overflow in ANGLE. 
7. CVE-2026-5278: Use after free in Web MIDI. 
8. CVE-2026-5279: Object corruption in V8. 
9. CVE-2026-5280: Use after free in WebCodecs. 
10. CVE-2026-5282: Out of bounds read in WebCodecs. 
11. CVE-2026-5283: Inappropriate implementation in ANGLE. 
12. CVE-2026-5284: Use after free in Dawn. 
13. CVE-2026-5285: Use after free in WebGL. 
14. CVE-2026-5286: Use after free in Dawn. 
15. CVE-2026-5287: Use after free in PDF. 
16. CVE-2026-5288: Use after free in WebView. 
17. CVE-2026-5289: Use after free in Navigation. 
18. CVE-2026-5290: Use after free in Compositing. 
19. CVE-2026-5291: Inappropriate implementation in WebGL. 
20. CVE-2026-5292: Out of bounds read in WebCodecs.

Affected Versions

The vulnerability affects Google Chrome versions before 146.0.7680.177.

Mitigation

Customers must upgrade to the latest stable channel version 146.0.7680.177/178 for Windows/Mac and 146.0.7680.177 for Linux.

For more information, please refer to the Google Chrome Release Page.

Qualys Detection

Qualys customers can scan their devices with QID 386954 to detect vulnerable assets.  

 Rapid Response with TruRisk Eliminate

Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html