Google patched a high-severity use-after-free in Dawn, the WebGPU implementation used across Chromium, and CISA added it to the Known Exploited Vulnerabilities catalog on April 1, 2026 with a two-week remediation deadline.
What Is It
CVE-2026-5281 is a use-after-free vulnerability (CWE-416) in Dawn, the graphics component inside Google Chrome. A remote attacker who has already compromised the renderer process can trigger the flaw with a crafted HTML page to execute arbitrary code. The bug carries a CVSS 3.1 base score of 8.8 (HIGH), vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and Chromium's internal severity rating is also High. Exploitation requires user interaction (loading the malicious page) but no privileges.
Why It Matters
CISA added CVE-2026-5281 to the KEV catalog on 2026-04-01, confirming active exploitation in the wild. Because Dawn is an upstream Chromium component, the impact is not limited to Chrome itself; CISA explicitly notes the vulnerability "could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera." Known ransomware campaign use is currently listed as Unknown. Combined with a renderer compromise primitive, this bug is a useful sandbox-escape building block for browser exploit chains targeting desktop users.
What's Vulnerable
- Google Chrome versions prior to 146.0.7680.178 on Windows, macOS, and Linux
- Other Chromium-based browsers that ship the affected Dawn component (e.g., Microsoft Edge, Opera) until they pick up the upstream fix
Patch Status
Google fixed the issue in Chrome stable channel 146.0.7680.178 (Stable Channel Update for Desktop, 31 March 2026). CISA's required action is to apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Federal civilian agencies were required to remediate by 2026-04-15. Downstream Chromium-based browser vendors should be confirmed on a build that incorporates the upstream Dawn fix.