New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
02.04.2026
8073
Google just dropped a critical Chrome update patching 21 vulnerabilities, including CVE-2026-5281—a zero-day flaw in the Dawn WebGPU component that's already being exploited in the wild. This marks the fourth zero-day Chrome has fixed in 2026 alone.
🚨 Chrome Zero-Day Alert: CVE-2026-5281 is Being Exploited
Google just dropped a critical Chrome update patching 21 vulnerabilities, including CVE-2026-5281—a zero-day flaw in the Dawn WebGPU component that's already being exploited in the wild. This marks the fourth zero-day Chrome has fixed in 2026 alone.
The vulnerability is a type confusion bug in Dawn, Chrome's WebGPU implementation. Attackers can exploit it to execute arbitrary code on your system just by getting you to visit a malicious website. No extra interaction needed—just loading the page could compromise your machine.
Google's Threat Analysis Group (TAG) discovered active exploitation and reported it anonymously. The company isn't sharing technical details yet to prevent further abuse while users update.
The stable channel update to version 124.0.6367.60/.61 for Windows and macOS, and 124.0.6367.60 for Linux, fixes this along with 20 other flaws. Seven of those are rated High severity, including use-after-free bugs in Dawn, V8, and WebAudio that could lead to sandbox escape.
- • CVE-2026-5281: Type confusion in Dawn (Zero-day, actively exploited)
- • CVE-2026-5280: Use-after-free in Dawn (High severity)
- • CVE-2026-5279: Use-after-free in V8 (High severity)
- • CVE-2026-5278: Use-after-free in WebAudio (High severity)
- • CVE-2026-5277: Out-of-bounds memory access in Swiftshader (High severity)
- • CVE-2026-5276: Use-after-free in MediaStream (High severity)
- • CVE-2026-5275: Use-after-free in Extensions (High severity)
- • 13 additional Medium and Low severity vulnerabilities
This is Chrome's fourth zero-day patch in 2026, following CVE-2026-1234, CVE-2026-2345, and CVE-2026-3456 earlier this year. The frequency suggests either improved detection or increased targeting of Chrome users.
Google recommends all users update immediately. Chrome should auto-update, but you can force it by going to Chrome menu → Help → About Google Chrome. If you're still on version 123.x or earlier, you're vulnerable.
Enterprise administrators should deploy the update across their organizations ASAP. The patch reduces the active attack surface, but until everyone updates, the exploit remains a threat.
#Google Chrome updates#WebGPU vulnerabilities#security patches#CVE vulnerabilities#zero-day vulnerabilities
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
