Find notable cyber news and cases, enriched with sources, timelines, and signals.

Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)

Vulnerability
First reported
Last updated
Happening score
H score 1
2 unique sources, 2 articles

Summary

Hide ▲

Google Chrome Stable Desktop on Windows, macOS, and Linux is getting an emergency fix for CVE-2026-5281, a use-after-free flaw in Dawn/WebGPU. Google says the bug was exploited in the wild, making it a live risk for browsers that have not yet updated. The out-of-band release may take days or weeks to reach all users, so manual updating reduces exposure.

Related Happenings

Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)

Vulnerability
H score45 First: 09.06.2026 09:56 Last: 09.06.2026 09:56 Sources 1

About this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...

Chromium JavaScript background RCE flaw

Vulnerability
H score16 First: 21.05.2026 21:13 Last: 21.05.2026 21:13 Sources 1

About this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...

Google overhauls Android and Chrome bug bounty programs

Commercial Activity
H score0 First: 05.05.2026 14:24 Last: 05.05.2026 14:24 Sources 1

About this happening: **Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft

Security Tool/Service
H score11 First: 09.04.2026 21:33 Last: 09.04.2026 21:33 Sources 1

About this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...

Timeline

  1. 01.04.2026 13:25 2 articles · 3mo ago

    Google discloses in-the-wild exploitation of CVE-2026-5281

    Initial Disclosure

    Google warned that an exploit for CVE-2026-5281 exists in the wild and said it had evidence that threat actors were abusing a Chrome/Dawn use-after-free flaw. The weakness is in Dawn, the WebGPU implementation used by Chromium, and can trigger browser crashes, data corruption, rendering issues, or other abnormal behavior.

    Show sources
  2. 01.04.2026 13:25 2 articles · 3mo ago

    Google releases emergency Chrome Stable Desktop fix for CVE-2026-5281

    Mitigation Patch Update

    Google issued emergency Chrome Stable Desktop updates for Windows, macOS, and Linux to fix CVE-2026-5281, with new versions 146.0.7680.177/178 for Windows and macOS and 146.0.7680.177 for Linux. Google said the out-of-band rollout could take days or weeks to reach all users, but the fix was available immediately for manual update and would install automatically at the next launch.

    Show sources
  3. 01.04.2026 13:25 2 articles · 3mo ago

    Google discloses in-the-wild exploitation of CVE-2026-5281

    Initial Disclosure

    Google warned that an exploit for CVE-2026-5281 exists in the wild and said it had evidence that threat actors were abusing a Chrome/Dawn use-after-free flaw. The weakness is in Dawn, the WebGPU implementation used by Chromium, and can trigger browser crashes, data corruption, rendering issues, or other abnormal behavior.

    Show sources