CVE-2026-5281
CISA KEVCritical use-after-free memory safety vulnerability in Dawn, Google's open-source cross-platform WebGPU implementation used in Chromium-based browsers. The flaw resides in Dawn's WebGPU command buffer queue and stems from inadequate synchronization during GPU object lifecycle management. A race condition is triggered when JavaScript calls .destroy() on GPU buffer objects immediately after submission via gpuDevice.queue.submit(), deallocating memory without halting pending GPU operations, leaving dangling pointers in the asynchronous GPU task queue. The exploit chain operates in a two-stage model: an attacker first compromises Chrome's renderer process through a separate vulnerability, then a crafted HTML page triggers the Dawn use-after-free to fill freed memory with malicious code, achieving arbitrary code execution in the GPU process context at higher privilege than the sandboxed renderer — effectively a sandbox escape. The vulnerability was confirmed under active in-the-wild exploitation on March 31, 2026 and represents the fourth actively exploited Chrome zero-day of 2026, following CVE-2026-2441 (CSS engine UAF, February), CVE-2026-3909 (Skia OOB write, March), and CVE-2026-3910 (V8 flaw, March). CISA added it to the KEV catalog on April 1, 2026 with a remediation deadline of April 15, 2026. Patched in Chrome 146.0.7680.177/178 as part of an emergency update addressing 21 total vulnerabilities. All Chromium-based browsers including Edge, Brave, Opera, and Vivaldi were affected.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Threats tracking this CVE
- Google Chrome Dawn WebGPU Use-After-Free Zero-Day Under Active Exploitation (CVE-2026-5281) — HIGH
- Google Chrome Dawn WebGPU Use-After-Free Zero-Day Under Active Exploitation (CVE-2026-5281) — CRITICAL
References
- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html
- https://issues.chromium.org/issues/491518608
- https://nvd.nist.gov/vuln/detail/CVE-2026-5281
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-5281
- https://www.cisa.gov/news-events/alerts/2026/04/01/cisa-adds-one-known-exploited-vulnerability-catalog
- https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html
- https://www.helpnetsecurity.com/2026/04/01/google-chrome-zero-day-cve-2026-5281/
- https://securityaffairs.com/190265/hacking/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2026.html
- https://www.bleepingcomputer.com/news/security/google-fixes-fourth-chrome-zero-day-exploited-in-attacks-in-2026/
- https://www.esecurityplanet.com/threats/chrome-vulnerability-cve-2026-5281-exploited-in-the-wild/
- https://darkwebinformer.com/chrome-zero-day-cve-2026-5281-a-use-after-free-in-dawns-webgpu-layer/
- https://www.penligent.ai/hackinglabs/cve-2026-5281-what-chromes-dawn-zero-day-actually-means/
- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-029/
- https://threatprotect.qualys.com/2026/04/01/google-addresses-zero-day-vulnerability-exploited-in-the-wild-cve-2026-5281/
- https://www.cyberkendra.com/2026/04/chromes-webgpu-engine-is-becoming.html