Chrome Zero-Day CVE-2026-5281: Active Exploitation of a WebGPU Use-After-Free

Google patched CVE-2026-5281 on April 1, 2026, the same day CISA added it to the Known Exploited Vulnerabilities catalog. By the time the advisory went public, the vulnerability was already being exploited in the wild. Federal agencies have until April 15 to apply the update. Everyone else should treat that deadline as a guide, not a grace period.

Active Exploitation Confirmed

CVE-2026-5281 was being exploited at patch release. A proof-of-concept circulated within 72 hours. Unpatched systems remain at risk from drive-by web page attacks requiring no user interaction beyond visiting a malicious URL.

What Is the Vulnerability

The flaw is a use-after-free in Dawn, Chrome's implementation of the WebGPU API. Use-after-free bugs occur when a program continues referencing a memory region after it has been freed. In a GPU context, the interaction between the browser's renderer process and the GPU process creates complex object lifecycle boundaries where these bugs are especially difficult to reason about and extremely dangerous when exploited.

WebGPU is Chrome's next-generation graphics API, replacing the older WebGL interface. It provides web applications with low-level access to GPU hardware for 3D graphics, image processing, and machine learning inference in the browser. The API is significantly more complex than WebGL and substantially expands the attack surface for renderer-side vulnerabilities. Dawn has received active security investment, but the complexity of the codebase makes it a persistent source of high-severity findings.

A successful exploit allows an attacker to achieve arbitrary code execution inside Chrome's renderer process. From there, a secondary sandbox escape is required to reach the underlying operating system. In this campaign, researchers observed the two-bug chain being delivered together: CVE-2026-5281 for renderer code execution paired with a separate privilege escalation to break out of the sandbox. Google has not disclosed the sandbox escape CVE as of this writing.

Attack Path

Exploitation Chain

Malicious web page delivered

Victim navigates to attacker-controlled URL via phishing link, malvertising redirect, or compromised legitimate site

WebGPU use-after-free triggered

JavaScript on the page manipulates Dawn GPU object lifecycle, triggering CVE-2026-5281 in the renderer process

Arbitrary code execution in renderer

Attacker controls execution inside the sandboxed Chrome renderer; CVSS 8.6 reflects this partial containment

Sandbox escape (chained exploit)

Second vulnerability breaks out of Chrome's renderer sandbox to gain OS-level code execution as the logged-in user

Post-exploitation payload deployed

Observed payloads include infostealer implants and remote access tools; session cookies and saved credentials extracted

Why WebGPU Is a Growing Attack Surface

WebGL, Chrome's previous browser graphics API, had years of security hardening and a relatively simple execution model. WebGPU is architecturally different. It exposes shader compilation pipelines, asynchronous command queues, and GPU memory management directly to JavaScript. The boundary between the browser's JavaScript engine, the renderer process, and the GPU driver process involves multiple trust transitions, each of which is a potential vulnerability site.

Dawn is an open-source project and therefore publicly auditable, which cuts both ways. Security researchers can find bugs, but so can exploit developers. The 72-hour PoC turnaround on CVE-2026-5281 is consistent with a pre-patch community already familiar with the codebase. Expect continued high-severity findings from this component through 2026 as WebGPU adoption grows and the attack surface becomes better understood by offensive researchers.

Chromium-based browsers including Microsoft Edge, Brave, and Opera share the Dawn codebase and are similarly affected. Edge shipped a patched build the same day as Chrome. Other Chromium forks may lag depending on their patch cadence.

Mitigation and Remediation

The primary fix is to update Chrome to version 125.0.6422.112 or later. Chrome's auto-update mechanism handles this for most users, but enterprise environments with managed update policies may require manual deployment through Intune, SCCM, or equivalent tooling.

For organizations with sensitive workloads where disabling WebGPU is operationally feasible, Chrome Enterprise Policy supports WebGPUEnabled: false via GPO or configuration file. This eliminates the attack surface entirely at the cost of any web application that depends on WebGPU for rendering. Most business applications do not yet require WebGPU, making this a reasonable mitigation for high-value targets during the patch window.

Update Chrome to 125.0.6422.112 or later immediately
Push updates via MDM for managed enterprise fleets; verify via fleet management telemetry
Apply WebGPUEnabled: false enterprise policy on sensitive workstations if operationally viable
Monitor endpoint telemetry for unusual Chrome renderer subprocess behavior or unexpected child process spawning
Block known exploit delivery infrastructure at the web proxy layer using threat intelligence feeds updated post-April 1
Treat CISA KEV deadline (April 15) as the outer limit, not the target date

Verification

To confirm your Chrome version: navigate to chrome://settings/help. The version string should read 125.0.6422.112 or higher. If Chrome shows a pending update, restart the browser to complete installation before checking again.

Is Your Browser Fleet Patched?

Enterprise browser patch management is often less mature than OS patching. RedEye Security can assess your patch velocity, identify unmanaged endpoints, and help you build a repeatable process for high-priority browser CVEs.

Talk to Us

← Back to Threat Intelligence