Fourth Chrome zero-day of 2026 patched after Dawn WebGPU flaw exploited in the wild

Google patched a Chrome zero-day on April 1, 2026. CVE-2026-5281 (CVSS 8.8) is a use-after-free in Dawn, the cross-platform WebGPU implementation used by Chromium. Google confirmed an exploit exists in the wild. This is the fourth actively exploited Chrome zero-day this year.

The update addresses 21 total vulnerabilities. Fixed versions are Chrome 146.0.7680.177/.178 for Windows and macOS, and 146.0.7680.177 for Linux.

CISA added CVE-2026-5281 to the Known Exploited Vulnerabilities catalog on April 1, 2026. Federal agencies must patch by April 15 under Binding Operational Directive 22-01. Private organizations should treat KEV entries with the same urgency.

Dawn is Google's open-source library that implements the WebGPU standard inside Chromium-based browsers. It translates high-level graphics and compute instructions into platform-specific GPU calls, using Vulkan on Linux, Metal on macOS, and Direct3D on Windows.

The NVD description contains a critical qualifier. The flaw allows "a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page." CVE-2026-5281 is most likely a second-stage exploit where a separate vulnerability first compromises the renderer and the Dawn flaw then escalates.

The researcher reported the flaw on March 10, 2026. Google restricted the bug tracker entry, disclosing no details on who is behind the exploitation or what they are targeting.

One researcher reported all four graphics stack bugs. The pseudonymous hunter, identified by hash 86ac1f1587b71893ed2ad792cd7dde32, found CVE-2026-4675 (heap buffer overflow in WebGL), CVE-2026-4676 and CVE-2026-5284 (both use-after-free in Dawn). Four bugs across two release cycles points to sustained focus on Chrome's GPU-facing code.

Dawn, Skia, WebGL, CSS rendering — all C++ code paths that handle untrusted web content and manage GPU memory by hand. Every new browser API adds more of this code. Chrome's sandbox helps, but the NVD description here says "compromised the renderer process." That is a sandbox escape primitive, not a standalone drive-by.

— Artem Safonov, Threat Analyst at AnonHaven

Four actively exploited Chrome zero-days in four months. February 2026 brought CVE-2026-2441, a use-after-free in CSSFontFeatureValuesMap. Three of the four target graphics or rendering subsystems.

CVE-2026-3909 was an out-of-bounds write in the Skia 2D graphics library. CVE-2026-3910 targeted V8, Chrome's JavaScript and WebAssembly engine. In 2025, Google patched eight Chrome zero-days exploited in the wild.

Dawn is part of the Chromium open-source project. All Chromium-based browsers are affected until their vendors push updates. Vivaldi has already shipped its fix.

Enterprise administrators should verify that group policies are not blocking Chrome auto-updates. Monitor endpoint telemetry for unusual browser crashes, anomalous GPU activity, or suspicious outbound connections.

Beyond the zero-day, the same release patched 20 other vulnerabilities. Use-after-free bugs were fixed in CSS, Web MIDI, PDF, and Navigation. Heap buffer overflows were patched in GPU and ANGLE.

A V8 object corruption bug was also addressed. Most of the 20 are rated high severity.

WebGPU is a relatively young API. Chrome shipped it by default in Chrome 113 in May 2023. The API provides direct access to GPU compute and rendering, requiring fine-grained manual memory management in C++. Dawn's codebase grows with each specification revision, expanding the attack surface.

Given the cluster of Dawn bugs from one researcher, additional patches may follow.

Three Dawn bugs in two releases, same researcher. That is not random. Someone is working through Dawn's memory management systematically. I would expect more Dawn patches in the next stable release.

— Artem Safonov, Threat Analyst at AnonHaven