CVE-2026-5281 is a use-after-free vulnerability in Google Chrome's Dawn component that allows arbitrary code execution via crafted HTML pages. While actively exploited in the wild, this affects client-side browser software, not internet-facing servers, making it a phishing/social engineering attack vector rather than direct internet exploitation.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: USER_INTERACTION
CVE Published: 2026-04-01
Added to CISA KEV: 2026-04-01 0 DAY BETWEEN CVE AND KEV
CVE-2026-5281 Detail. Description. Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.Quick Info. CVE Dictionary Entry: CVE-2026-5281 NVD Published Date: 04/01/2026 NVD Last Modified: 04/01/2026 Source: Chrome.
Google is aware that an exploit for CVE-2026-5281 exists in the wild," Google said in a security advisory issued on Tuesday. ... exploiting this zero-day flaw in the wild, it did not share ... Google patched two other Chrome zero-day bugs exploited in attacks earlier this month: the first is an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and the second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard.As is customary for these alerts, Google did not provide any further details on how the shortcoming is being exploited and who may be behind the effort. This is typically done so as to ensure that a majority of users are updated with a fix and prevent other actors from joining the exploitation bandwagon.
CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source implementation of the WebGPU standard. This type of memory corruption flaw occurs when an application continues to use a pointer after the memory it points to has been cleared.
About CVE-2026-5281. As per usual, information about the fixed zero-day is limited, and thereโs no details about the exploit (or how/if itโs being used by attackers). CVE-2026-5281โs official description says itโs a use-after-free (UAF) vulnerability in Dawn, an open-source and cross-platform implementation of the WebGPU standard thatโs used in Chromium and Chromium-based browsers. The vulnerability affects Chrome versions before v146.0.7680.177/178 for Windows/Mac, and before v146.0.7680.177 for Linux.