CVE-2026-5281 Overview
CVE-2026-5281 is a use-after-free vulnerability [CWE-416] in the Dawn component of Google Chrome. Dawn is Chromium's cross-platform implementation of the WebGPU standard. The flaw affects Google Chrome versions prior to 146.0.7680.178 across Windows, macOS, and Linux. A remote attacker who has already compromised the renderer process can leverage a crafted HTML page to execute arbitrary code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Google rates the Chromium security severity as High.
Critical Impact
An attacker who controls a compromised renderer can chain this use-after-free in Dawn to escape sandbox boundaries and execute arbitrary code on the host system.
Affected Products
- Google Chrome prior to 146.0.7680.178
- Chromium-based browsers using the Dawn WebGPU implementation
- Desktop platforms: Microsoft Windows, Apple macOS, and Linux
Discovery Timeline
- 2026-04-01 - CVE-2026-5281 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-5281
Vulnerability Analysis
The vulnerability resides in Dawn, the Chromium project's native implementation of the WebGPU API. Dawn brokers GPU command translation between the browser's renderer process and the underlying graphics drivers on Windows, macOS, and Linux. A use-after-free condition occurs when Dawn references a memory object after it has been freed, allowing the attacker to manipulate stale pointers.
Exploitation requires user interaction, typically loading or interacting with a malicious HTML page. The attacker must already control the renderer process, indicating this issue is most useful as the second stage in a multi-bug exploit chain that escapes Chrome's sandbox. CISA KEV listing confirms attackers have weaponized the flaw in production environments. The EPSS probability stands above the 77th percentile, reflecting elevated exploitation likelihood.
Root Cause
The defect is classified as CWE-416: Use After Free. Dawn fails to invalidate or properly track the lifecycle of an internal GPU resource object. When the renderer reuses the freed allocation, the attacker can place controlled data in the reclaimed memory and influence subsequent virtual function calls or object dereferences inside the Dawn process boundary.
Attack Vector
The attack chain begins with the victim visiting attacker-controlled content. The renderer process must first be compromised through a separate vulnerability or content-based primitive. Once inside the renderer, the attacker issues crafted WebGPU calls through Dawn to trigger the dangling reference, gain code execution privileges available to Dawn, and pivot toward a full sandbox escape.
No verified public proof-of-concept code is available. Technical details are tracked in the Chromium Issue Tracker Entry and the Google Chrome Desktop Update advisory.
Detection Methods for CVE-2026-5281
Indicators of Compromise
- Chrome browser processes spawning unexpected child processes such as cmd.exe, powershell.exe, or shell interpreters from the GPU or renderer process tree.
- Crash reports referencing dawn:: symbols, WebGPU device contexts, or GPU process aborts following visits to untrusted sites.
- Outbound network connections from Chrome to recently registered or low-reputation domains immediately after WebGPU-heavy page loads.
Detection Strategies
- Hunt for anomalous process lineage where chrome.exe (or the platform equivalent) spawns scripting hosts, LOLBins, or arbitrary executables.
- Inspect Chrome stability and chrome://crashes telemetry for repeated GPU or renderer crashes correlated with WebGPU usage.
- Correlate browser version inventory with the patched build 146.0.7680.178 and flag endpoints still running vulnerable versions.
Monitoring Recommendations
- Enable enterprise reporting via Chrome Browser Cloud Management to capture extension, crash, and version telemetry centrally.
- Forward endpoint process creation events (Sysmon Event ID 1, EDR telemetry) for Chrome child processes into your SIEM for retroactive hunting.
- Track CISA KEV updates and prioritize alerts for assets confirmed to be running unpatched Chromium-derived browsers.
How to Mitigate CVE-2026-5281
Immediate Actions Required
- Update Google Chrome to version 146.0.7680.178 or later on all Windows, macOS, and Linux endpoints without delay.
- Audit Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and apply vendor patches that incorporate the upstream Dawn fix.
- Restart Chrome after the update to ensure the patched binaries are loaded; pending updates do not protect a running session.
Patch Information
Google released the fix in the Stable Channel update for desktop documented in the Google Chrome Desktop Update. The fixed build is 146.0.7680.178. Administrators can also reference the CISA Known Exploited Vulnerability entry, which mandates federal remediation timelines.
Workarounds
- Disable WebGPU by launching Chrome with the --disable-features=WebGPU flag or via enterprise policy until patching completes.
- Restrict navigation to untrusted sites using URL filtering, DNS protection, or Safe Browsing Enhanced Protection.
- Enforce site isolation and consider deploying browser policies that block third-party HTML content from unknown origins on high-risk endpoints.
# Configuration example: enforce minimum Chrome version and disable WebGPU via enterprise policy
# Windows (registry, Chrome Enterprise policy)
reg add "HKLM\Software\Policies\Google\Chrome" /v "DisabledFeatures" /t REG_SZ /d "WebGPU" /f
# Linux (managed policy JSON: /etc/opt/chrome/policies/managed/cve-2026-5281.json)
{
"DisabledFeatures": ["WebGPU"],
"TargetVersionPrefix": "146.0.7680.178"
}
# Verify installed version
google-chrome --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
