CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Fourth actively exploited Chrome zero-day (CVE-2026-5281) in Dawn WebGPU implementation patched by Google

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Google released emergency fixes for the fourth Chrome zero-day vulnerability (CVE-2026-5281) exploited in attacks during 2026, addressing a use-after-free flaw in Dawn, the cross-platform WebGPU implementation within Chromium. The vulnerability allowed attackers to trigger browser crashes, data corruption, rendering issues, or abnormal behavior via malicious web content and specifically enabled arbitrary code execution via crafted HTML in compromised renderer processes. Google confirmed active exploitation in the wild but withheld technical details to prevent further abuse until widespread patch adoption. Updates were immediately available for Windows, macOS, and Linux users in the Stable Desktop channel (versions 146.0.7680.177/178), though rollout may take days or weeks for all users. Automatic updates are enabled by default unless manually disabled. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are advised to apply fixes as they become available.

Timeline

  1. 01.04.2026 13:25 2 articles · 1d ago

    Chrome zero-day (CVE-2026-5281) in Dawn WebGPU patched after active exploitation

    Google released emergency updates for Chrome Stable Desktop (versions 146.0.7680.177/178) addressing CVE-2026-5281, a use-after-free flaw in Dawn (WebGPU implementation) exploited in attacks. The vulnerability allowed memory corruption leading to arbitrary code execution via crafted HTML in compromised renderer processes, browser crashes, rendering issues, or data corruption. Google confirmed active exploitation but withheld details to prevent further abuse. Patches were available immediately for Windows, macOS, and Linux users, with automatic updates enabled by default. Users of Chromium-based browsers (e.g., Microsoft Edge, Brave, Opera, Vivaldi) are advised to apply fixes as they become available.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Google Chrome Zero-Day Exploits in Skia and V8 Engine

Google has released emergency updates for Chrome to patch two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). The first is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both vulnerabilities were discovered and patched within two days of reporting, affecting Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

Open in new tab

CVE-2026-2441: Chrome Zero-Day Exploited in the Wild

Google has released a patch for a high-severity use-after-free vulnerability (CVE-2026-2441) in Chrome's CSSFontFeatureValuesMap, which is actively being exploited. The flaw, discovered by Shaheen Fazim, allows remote attackers to execute arbitrary code within a sandbox via crafted HTML pages. Users are advised to update to versions 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux. This is the first actively exploited zero-day in Chrome for 2026, highlighting the ongoing threat of browser-based vulnerabilities. The vulnerability was disclosed to the vendor on February 11, 2026, only two days before it was patched. The flaw can likely be exploited for arbitrary code execution by getting the targeted user to visit a malicious website, although an additional vulnerability is likely needed to escape the sandbox and achieve complete system takeover. The patch was tagged as "cherry-picked" (or backported) across multiple commits, indicating its importance and urgency. The commit message notes that the patch addresses "the immediate problem" but indicates there's "remaining work" tracked in bug 483936078, suggesting this might be a temporary fix or that related issues still need to be addressed. The update was published on February 13, 2026, and accompanied by an advisory on CVE-2026-2441. Google has restricted access to bug details and links until a majority of users are updated with a fix. Google released eight emergency patches for Chrome in 2025 to protect against actively exploited vulnerabilities.

Open in new tab

Increased Focus on Browser Security Due to Rising Threats

The browser has become a prime target for attackers due to its central role in modern work environments. Attacks exploit vulnerabilities, malicious extensions, and session hijacking to steal sensitive data. The Snowflake breach highlighted the risks, prompting discussions on whether the browser is the new endpoint. Experts emphasize the need for stronger browser security measures to mitigate these threats. The Snowflake attack, which used stolen credentials, underscored the vulnerability of browsers. This incident, along with others like those by Scattered Spider and ShinyHunters, has led to increased awareness of browser security risks. Experts suggest that enterprises should treat the browser as a secure agent and integrate browser security with network and endpoint protections. Attacks on browsers often avoid malware, making detection difficult. Security measures should minimize user friction and integrate browser, network, and endpoint security for comprehensive threat prevention.

Open in new tab