# CVE-2026-5281

> Critical use-after-free memory safety vulnerability in Dawn, Google's open-source cross-platform WebGPU implementation used in Chromium-based browsers. The flaw resides in Dawn's WebGPU command buffer queue and stems from inadequate synchronization during GPU object lifecycle management. A race condition is triggered when JavaScript calls .destroy() on GPU buffer objects immediately after submission via gpuDevice.queue.submit(), deallocating memory without halting pending GPU operations, leaving dangling pointers in the asynchronous GPU task queue. The exploit chain operates in a two-stage mod

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 3.3%
- **CISA KEV:** yes
- **CWE:** CWE-416

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-5281
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp