Chrome/Dawn actively exploited use-after-free flaw (CVE-2026-5281)
Vulnerability
Summary
Hide ▲
Show ▼
Google Chrome Stable Desktop on Windows, macOS, and Linux is getting an emergency fix for CVE-2026-5281, a use-after-free flaw in Dawn/WebGPU. Google says the bug was exploited in the wild, making it a live risk for browsers that have not yet updated. The out-of-band release may take days or weeks to reach all users, so manual updating reduces exposure.
Related Happenings
Chromium JavaScript background RCE flaw
Vulnerability
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Google overhauls Android and Chrome bug bounty programs
Commercial Activity
First: 05.05.2026 14:24
Last: 05.05.2026 14:24
Sources 1
About this happening:
**Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
Google overhauls Android and Chrome bug bounty programs
Commercial ActivityAbout this happening: **Google** overhauls its **Android and Chrome** vulnerability rewards programs, reshaping payout tiers for **exploit research** and raising top rewards to **$1.5 million**. The ch...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Nvidia GPU GPUBreach Rowhammer-style page-table corruption privilege-escalation flaw
Vulnerability
First: 07.04.2026 14:31
Last: 07.04.2026 14:31
Sources 1
About this happening:
Researchers demonstrated **GPUBreach**, a **Rowhammer-style weakness** in **Nvidia GPUs** that can corrupt **GPU page tables** and enable **arbitrary read-write access**. When pai...
Nvidia GPU GPUBreach Rowhammer-style page-table corruption privilege-escalation flaw
VulnerabilityAbout this happening: Researchers demonstrated **GPUBreach**, a **Rowhammer-style weakness** in **Nvidia GPUs** that can corrupt **GPU page tables** and enable **arbitrary read-write access**. When pai...
Timeline
-
01.04.2026 13:25 2 articles · 1mo ago
Google discloses in-the-wild exploitation of CVE-2026-5281
Initial DisclosureGoogle warned that an exploit for CVE-2026-5281 exists in the wild and said it had evidence that threat actors were abusing a Chrome/Dawn use-after-free flaw. The weakness is in Dawn, the WebGPU implementation used by Chromium, and can trigger browser crashes, data corruption, rendering issues, or other abnormal behavior.
Show sources
- Google fixes fourth Chrome zero-day exploited in attacks in 2026 — www.bleepingcomputer.com — 01.04.2026 13:25
- New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released — thehackernews.com — 01.04.2026 14:42
-
01.04.2026 13:25 2 articles · 1mo ago
Google releases emergency Chrome Stable Desktop fix for CVE-2026-5281
Mitigation Patch UpdateGoogle issued emergency Chrome Stable Desktop updates for Windows, macOS, and Linux to fix CVE-2026-5281, with new versions 146.0.7680.177/178 for Windows and macOS and 146.0.7680.177 for Linux. Google said the out-of-band rollout could take days or weeks to reach all users, but the fix was available immediately for manual update and would install automatically at the next launch.
Show sources
- Google fixes fourth Chrome zero-day exploited in attacks in 2026 — www.bleepingcomputer.com — 01.04.2026 13:25
- New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released — thehackernews.com — 01.04.2026 14:42
-
01.04.2026 13:25 2 articles · 1mo ago
Google discloses in-the-wild exploitation of CVE-2026-5281
Initial DisclosureGoogle warned that an exploit for CVE-2026-5281 exists in the wild and said it had evidence that threat actors were abusing a Chrome/Dawn use-after-free flaw. The weakness is in Dawn, the WebGPU implementation used by Chromium, and can trigger browser crashes, data corruption, rendering issues, or other abnormal behavior.
Show sources
- Google fixes fourth Chrome zero-day exploited in attacks in 2026 — www.bleepingcomputer.com — 01.04.2026 13:25
- New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released — thehackernews.com — 01.04.2026 14:42