Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Image: sergign/Envato Elements

Google patches 21 Chrome vulnerabilities, including an actively exploited zero-day flaw that could enable code execution and full device compromise.

Written By
Ken Underhill
Ken Underhill
Apr 2, 2026

Chrome just became the latest battlefield in an ongoing war over memory safety.

Google has pushed an urgent security update after uncovering multiple high-severity vulnerabilities — one of which is already being exploited in the wild. In a rare and pointed advisory, the company confirmed: “We are aware that an exploit for CVE-2026-5281 exists in the wild.”

That single line shifts this from routine patching to active threat response, where attackers aren’t waiting—they’re already moving.

Inside CVE-2026-5281

The vulnerability, tracked as CVE-2026-5281, is a use-after-free flaw affecting Chrome’s WebGPU implementation through its Dawn GPU abstraction layer.

This class of vulnerability occurs when a program continues to access memory after it has been freed, creating an opportunity for attackers to manipulate memory and execute malicious code.

In this case, the issue lies in Dawn — a cross-platform component that enables WebGPU and interacts closely with the underlying system hardware, increasing the potential impact of exploitation.

Google has confirmed that CVE-2026-5281 is being actively exploited in the wild. Attackers can exploit this flaw by triggering memory mismanagement within the GPU processing pipeline. This can lead to memory corruption, allowing adversaries to execute arbitrary code within the browser context.

In more advanced attack chains, the vulnerability could be combined with additional flaws to bypass Chrome’s sandbox protections and gain deeper access to the underlying system — potentially resulting in full device compromise.

The Chrome patch release addressed 21 vulnerabilities, many involving memory-safety issues such as use-after-free and heap buffer overflows across components, including WebGL, WebCodecs, CSS, and the V8 JavaScript engine.

The vulnerabilities that were patched impact Chrome versions prior to 146.0.7680.177 on Linux and 146.0.7680.177/178 on Windows and macOS.

Reducing risk from browser-based attacks

Given the active exploitation of this vulnerability, organizations should prioritize reducing exposure and layering defensive controls.

  • Apply the latest patch and verify deployment across all managed systems using endpoint management tools.
  • Monitor endpoint and network telemetry for signs of exploitation, including unusual browser crashes, anomalous GPU activity, or suspicious outbound connections.
  • Restrict high-risk browser features such as WebGPU, WebGL, WebAssembly, and limit extensions through enterprise policies.
  • Strengthen endpoint protections by enabling EDR/XDR behavioral detection, exploit mitigation controls, and application allowlisting.
  • Reduce the attack surface through least-privilege access, network segmentation, and DNS or web filtering to block malicious infrastructure.
  • Test incident response plans and use attack-simulation tools for browser-exploitation scenarios.

This incident highlights a broader trend: modern browsers continue to grow more complex, incorporating features like GPU acceleration and real-time rendering that expand the attack surface. Memory safety vulnerabilities — particularly use-after-free issues — remain an ongoing challenge.

At the same time, advances in AI are contributing to faster vulnerability discovery and potentially shorter timelines between disclosure and exploitation.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.

 

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.