PATCH BEFORE EOD | ZERO-DAY ALERT
Active ThreatUpdated 10 min read

Chrome's 4th Zero-Day of 2026 Was Already in the Wild

Four actively exploited vulnerabilities. One browser. Under 100 days. CVE-2026-5281 confirms that whoever is hunting Chrome's attack surface has not stopped.

Sources:Google Chrome Security Advisory|CISA KEV Catalog|Bleeping Computer|NIST NVD|SOCRadar
4
Chrome zero-days in 2026
<100
Days since January 1
3 of 4
Target graphics & rendering
3B+
Chrome users in target pool

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

On March 31, 2026, Google shipped an emergency update for Chrome fixing 21 vulnerabilities, including CVE-2026-5281, a use-after-free flaw in Dawn, the component that implements the WebGPU standard inside Chromium-based browsers. The advisory was brief and deliberately sparse: "Google is aware that an exploit for CVE-2026-5281 exists in the wild."

The next day, April 1, CISA added it to the Known Exploited Vulnerabilities catalog and issued a remediation deadline of April 15, 2026 for Federal Civilian Executive Branch agencies. A KEV addition on the same day as a patch should be treated as a signal to act immediately, not at the next patch window.

This is now the fourth Chrome zero-day patched in 2026. The first three arrived in February and March. All four were confirmed exploited in attacks. None of them were theoretical. Someone has been hunting Chrome's attack surface systematically, and they have been finding things.

The technical anatomy: what use-after-free in Dawn actually means

A use-after-free (UAF) bug occurs when a program frees a block of memory but retains a pointer to that memory and continues to reference it. Once freed, that memory block may be reallocated by the allocator for a completely different purpose. The original stale pointer now points to attacker-influenced data.

In a standard UAF exploitation scenario, an attacker manipulates the memory allocator so that the freed block gets reclaimed in a way they control. When the vulnerable code dereferences the stale pointer, it is operating on attacker-chosen data, in the best case for the attacker, allowing hijacking of control flow and execution of arbitrary code.

The location of this bug matters enormously. Dawn is Chrome's cross-platform implementation of WebGPU, the emerging web standard that gives browser-based applications lower-level access to the GPU. WebGPU is increasingly used in browser-based games, machine learning inference in the browser, and data visualization. GPU-facing code introduces memory management patterns far more complex than standard CPU-side allocation. GPU resources often have asynchronous lifecycles, and managing when objects are valid to reference is genuinely difficult. This complexity is a feature of the attack surface, not a coincidence.

Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.

NVD Description, Confirmed Attacker Model

Why "renderer compromise required" is not reassuring

The official vulnerability description includes a qualifier that some readers may misinterpret as a limiting factor: the attacker must have already compromised the renderer process. This sounds like a prerequisite that reduces risk. It is the opposite.

Modern Chrome uses a multi-process architecture where each tab runs in a sandboxed renderer process. A vulnerability that requires renderer access is typically the second bug in an exploit chain, the attacker uses a separate vulnerability to break into the renderer first, and then uses the Dawn UAF to escalate privileges, potentially escaping Chrome's sandbox entirely.

In practice, CVE-2026-5281 was almost certainly deployed as part of a two-stage chain. The fact that Google confirmed in-the-wild exploitation while restricting full technical details strongly suggests that at least one renderer escape was being combined with this bug. The attack surface extends well beyond what the CVE description alone implies.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The 2026 Chrome zero-day timeline

CVE-2026-5281 is the fourth entry in a series that has targeted very different parts of Chrome's codebase in under 100 days. Three of the four target graphics or rendering subsystems. This spread is not coincidental, it reflects how Chrome's attack surface has evolved. The browser is now a graphics engine, a JavaScript runtime, a WebAssembly platform, and a GPU compute interface. Attackers are probing Chrome as a full computing platform, and they are finding weaknesses in each layer.

1

CVE-2026-2441, February 2026

Iterator invalidation in CSSFontFeatureValuesMap, Chrome's CSS font feature value implementation. Patched mid-February 2026. [CSS engine]

2

CVE-2026-3909, March 2026

Out-of-bounds write in Skia, Chrome's 2D graphics library. CVSS 8.8. Patched March 23, 2026 alongside CVE-2026-3910. [Skia graphics]

3

CVE-2026-3910, March 2026

Inappropriate implementation in V8, Chrome's JavaScript and WebAssembly engine. CVSS 8.8. Patched March 23, 2026. [V8 / JS engine]

4

CVE-2026-5281, March 31, 2026

Use-after-free in Dawn (WebGPU). Renderer compromise required. CISA KEV added April 1. Remediation deadline April 15. [Dawn / WebGPU]

The same researcher found three of them

CVE-2026-5281 was reported by a pseudonymous bug hunter identified only by a hash (86ac1f1587b71893ed2ad792cd7dde32). That same researcher previously reported two vulnerabilities fixed in the March 23 Chrome update, a heap buffer overflow in WebGL (CVE-2026-4675) and another use-after-free in Dawn (CVE-2026-4676). They also reported a third use-after-free in Dawn (CVE-2026-5284) that was fixed alongside CVE-2026-5281.

A single researcher finding four vulnerabilities in Dawn and WebGL in quick succession suggests they have identified a productive research methodology for this area of the codebase, and there may be more where these came from. The WebGPU surface is relatively new, relatively complex, and has clearly not been exhaustively audited.

It is not just Chrome: the Chromium ecosystem problem

Every browser built on the Chromium open-source project inherits vulnerabilities in shared components like Dawn. That means CVE-2026-5281 affects Microsoft Edge, Brave, Opera, Vivaldi, and every other Chromium-derived browser until each vendor ships its own update incorporating the upstream fix.

The timing of downstream patches varies. Vivaldi shipped its fix relatively quickly. Microsoft was working on an Edge update at time of reporting. A Chrome update alone does not cover the entire Chromium-based surface. Each browser requires separate verification.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

What to do right now

Active exploitation has been confirmed for weeks. CISA deadline for federal agencies is April 15. There is no defensible argument for waiting.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Browsers were once relatively simple: they parsed HTML, executed JavaScript, and rendered pages. The modern browser is something categorically different, a graphics engine, a JavaScript and WebAssembly runtime, a GPU compute interface, a media platform, and an application layer capable of running software at near-native performance.

Each capability addition, CSS animations, WebGL, Skia, V8, WebAssembly, and now WebGPU, introduces new code paths, new memory management patterns, and new opportunities for memory safety vulnerabilities. The four Chrome zero-days of 2026 are a direct consequence of that complexity.

In 2025, Google fixed eight zero-days exploited in the wild. The 2026 pace is accelerating. Four in the first quarter, three targeting the graphics and rendering stack, at least three of them found by the same researcher. The cadence suggests both that the surface is productive for adversarial research and that researchers are operating with increasing efficiency.

The correct security posture is not to wait for patch windows. It is to treat browser zero-day advisories with the same urgency as OS-level exploits, because in a world where Chrome runs business applications, handles authentication, and interfaces with GPU hardware, the browser effectively is an operating system, with all the attack surface that implies.

Whoever found these four Chrome zero-days in under 100 days has not stopped. The next one may already be in use.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2026-5281?

CVE-2026-5281 is a use-after-free vulnerability in Dawn, Chrome's WebGPU implementation. It allows a remote attacker who has compromised the renderer process to execute arbitrary code via a crafted HTML page. Google confirmed it was exploited in the wild before the patch.

How do I patch CVE-2026-5281?

Update Chrome to version 146.0.7680.178 or later. Go to chrome://settings/help to check your version and trigger an update. Restart the browser after updating. For managed fleets, push the update via your enterprise management tool immediately.

How many Chrome zero-days have there been in 2026?

CVE-2026-5281 is the fourth Chrome zero-day patched in 2026, all confirmed exploited in the wild. Three of the four targeted the graphics and rendering pipeline. The pace indicates systematic hunting of Chrome's attack surface.

Why does WebGPU expand Chrome's attack surface?

WebGPU gives browser-based applications lower-level access to the GPU for tasks like machine learning inference, gaming, and data visualization. GPU-facing code involves asynchronous object lifecycles and complex memory management that is significantly harder to make safe than standard CPU-side allocation. This complexity creates a richer attack surface. Three of the four Chrome zero-days patched in 2026 targeted the graphics and rendering pipeline, suggesting systematic exploitation of this area.

What should enterprise teams do about Chrome zero-day frequency?

At the current pace (four exploited zero-days in under three months), enterprises should move Chrome updates from monthly patch cycles to continuous or weekly deployment. Enable Chrome's automatic update mechanisms for unmanaged fleets. For managed fleets, configure forced update rollout via your enterprise management platform with a maximum 24-hour lag from Google's stable release. CISA KEV additions on the same day as a Chrome patch are a signal to treat the update as an emergency, not a standard patch.

Sources & references

  1. Google Chrome Security Advisory
  2. CISA KEV Catalog
  3. Bleeping Computer
  4. NIST NVD
  5. SOCRadar

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.