Exploited in the Wild: Google Issues Emergency Patch for Chrome Zero-Day (CVE-2026-5281) in Dawn Component
Ddos 
Google has released a critical security update for the Chrome Stable channel to address 21 security vulnerabilities. While the patch covers a wide array of flaws, one particular bug has put security teams on high alert: CVE-2026-5281. Google has officially confirmed that this vulnerability is currently being exploited in the wild.
The most pressing fix in this rollout addresses CVE-2026-5281, a high-severity “Use after free” vulnerability located in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared. Attackers can leverage this to execute arbitrary code or bypass critical security boundaries on a victim’s machine.
Google states: “Google is aware that an exploit for CVE-2026-5281 exists in the wild.” By acknowledging active exploitation, Google is signaling that users must update their browsers immediately to prevent potential system compromise.
Beyond the zero-day exploit, the update fixes 20 other vulnerabilities, the vast majority of which are rated as High severity. These include:
- Use After Free (UAF): Multiple UAF bugs were squashed in components like CSS (CVE-2026-5273), Web MIDI (CVE-2026-5278), PDF (CVE-2026-5287), and Navigation (CVE-2026-5289).
- Buffer Overflows: Fixes for heap buffer overflows in the GPU (CVE-2026-5272) and ANGLE (CVE-2026-5275) prevent attackers from overrunning memory buffers to crash the browser or run malicious code.
- Integer Overflows: Found and fixed in Codecs (CVE-2026-5274) and ANGLE (CVE-2026-5277).
- V8 Object Corruption: A high-severity fix for the V8 engine (CVE-2026-5279), Chrome’s core JavaScript execution component.
Google notes that while the patch is available now, the rollout will continue over the coming days and weeks. To protect the user base, Google is intentionally withholding specific technical details. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company stated, a standard practice to prevent more bad actors from developing their own exploits based on the fix.
The update is being deployed across all major desktop operating systems:
- Windows/Mac: Versions 146.0.7680.177/178
- Linux: Version 146.0.7680.177
Because Chrome typically updates in the background, many users may already be protected. However, given the active exploit, manual verification is highly recommended:
- Open Chrome.
- Click the three dots in the top right corner.
- Go to Help > About Google Chrome.
- The browser will check for updates and prompt a Relaunch to apply the patch.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
