CVE-2026-4676
Use-after-free vulnerability in Dawn, Google's open-source cross-platform implementation of the WebGPU standard, in Google Chrome prior to 146.0.7680.165. The flaw allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Dawn translates WebGPU API calls into platform-specific GPU instructions (Vulkan on Linux, Metal on macOS, Direct3D 12 on Windows) and relies on raw pointers to reference-counted objects, creating conditions where stale pointers can persist after object deallocation. This vulnerability is part of a cluster of GPU-layer bugs discovered by the same pseudonymous researcher (_86ac1f1587b71893ed2ad792cd7dde32_) who also reported CVE-2026-4675 (heap buffer overflow in WebGL) and CVE-2026-5281 (Dawn use-after-free zero-day under active exploitation). The sandbox escape potential is particularly dangerous as Dawn provides a boundary-crossing path from the sandboxed renderer process through the WebGPU API to the GPU process running at higher privilege. Patched on March 23, 2026. All Chromium-based browsers were affected.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Threats tracking this CVE
- Google Chrome Dawn WebGPU Use-After-Free Zero-Day Under Active Exploitation (CVE-2026-5281) — HIGH
- Google Chrome Dawn WebGPU Use-After-Free Zero-Day Under Active Exploitation (CVE-2026-5281) — CRITICAL
References
- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html
- https://issues.chromium.org/issues/488613135
- https://nvd.nist.gov/vuln/detail/CVE-2026-4676
- https://www.bleepingcomputer.com/news/security/google-fixes-fourth-chrome-zero-day-exploited-in-attacks-in-2026/
- https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html