Google has released a Chrome security update fixing 21 vulnerabilities, including the fourth zero-day exploited in active attacks against Chrome users in 2026. The flaw, tracked as CVE-2026-5281, is a use-after-free vulnerability in the Dawn WebGPU engine and was confirmed by Google to have been exploited in the wild before a fix was available.
The Vulnerability
CVE-2026-5281 is a memory safety vulnerability in Dawn, Chrome's open-source implementation of the WebGPU graphics API. Use-after-free bugs occur when a program continues to use a pointer to memory after that memory has been freed — in a browser context, this can allow attackers to corrupt heap memory and gain code execution within the browser renderer process.
| Field | Details |
|---|---|
| CVE | CVE-2026-5281 |
| Type | Use-After-Free |
| Component | Dawn (WebGPU engine) |
| Severity | High |
| Exploited | Yes — in the wild before patch |
| Patch Status | Fixed in April 1, 2026 stable release |
As is standard practice, Google withheld technical details about the vulnerability and the nature of the active exploitation to give users and enterprises time to apply the update before attackers can develop or refine their exploit chains.
Fourth Zero-Day in 2026
This is the fourth time Google has patched a Chrome zero-day that was being actively exploited in 2026 — a pattern that underscores the continued high demand for browser exploits among threat actors. The previous three Chrome zero-days this year affected the V8 JavaScript engine and inter-process communication components.
The shift to Dawn/WebGPU as an exploitation target is notable. As browsers expand their GPU access APIs to support richer web applications and GPU-accelerated compute workloads, these newer subsystems become attractive targets for security researchers and threat actors alike. Dawn is shared across Chrome, all Chromium-based browsers, and is maintained as an open-source project — meaning a vulnerability can have broad reach.
Who Is Affected
Any user or device running Chrome prior to the April 1, 2026 stable release is potentially vulnerable. Additionally, because Dawn is a shared component across the Chromium codebase, other Chromium-based browsers — including Microsoft Edge, Brave, Opera, Vivaldi, and Arc — may also be affected until their respective teams ship updates based on the patched Chromium source.
Patching Guidance
Update Chrome Immediately
Chrome will offer the update automatically in most cases. To force the update now:
- Open Chrome and navigate to
chrome://settings/help - Chrome will detect and download the update automatically
- Click Relaunch when prompted
Alternatively, from the address bar, go to:
chrome://settings/help
The version number shown should reflect the April 1, 2026 release. If Chrome shows "Chrome is up to date" with an older version, force-close and reopen the browser.
Enterprise Deployment
For IT and security teams managing corporate endpoints:
# Windows — check current Chrome version via registry
Get-ItemProperty "HKLM:\SOFTWARE\Google\Chrome\BLBeacon" -Name "version"
# Deploy update via SCCM, Intune, or your preferred endpoint management platform
# Target: Chrome version >= [patched stable channel version]
# Verify across estate using endpoint inventory
# Prioritise endpoints used for web browsing and SaaS access# Linux — update via package manager
sudo apt-get update && sudo apt-get install --only-upgrade google-chrome-stable
# macOS — update via Homebrew
brew upgrade --cask google-chromeDon't Forget Chromium-Based Browsers
# Check Microsoft Edge version (auto-updates separately)
msedge --version
# Brave Browser
brave-browser --version
# All should be updated once vendors ship Chromium patchesBroader Context: Browser Zero-Days in 2026
The frequency of exploited Chrome zero-days in 2026 reflects a consistent attacker investment in browser exploitation as a primary initial access vector:
- Browsers are universally deployed across corporate and personal endpoints
- Renderer sandbox bypasses turn a web page visit into full code execution
- Browser exploits chain well with local privilege escalation to achieve full OS compromise
- WebGPU specifically exposes lower-level hardware interfaces than previous web graphics APIs, expanding the exploitable attack surface
Security teams should treat browser patching with the same urgency as OS and server patching — browser zero-days are not just consumer threats.
Recommended Actions
- Patch all Chrome installations now — do not wait
- Audit Chromium-based browsers across your estate and ensure they receive updates as vendors release patches
- Monitor for exploitation indicators — unusual browser child process activity, renderer crashes, or unexpected network connections from browser processes
- Consider enhanced browser isolation solutions (e.g., browser isolation platforms) for high-risk users such as executives, finance, and IT administrators
- Review endpoint detection rules for browser-based exploitation patterns (renderer sandbox escapes, child process anomalies)
Source: BleepingComputer — April 1, 2026