**********Google patches actively exploited Chrome zero-day CVE-2026-5281** [developing]
Key Questions
What is CVE-2026-5281 in Google Chrome?
CVE-2026-5281 is a zero-day vulnerability in Chrome's Dawn/WebGPU component involving a Use-After-Free (UAF) flaw. It enables drive-by remote code execution (RCE) and sandbox escape just by visiting a malicious site. Google has confirmed active in-the-wild exploitation.
How was CVE-2026-5281 being exploited?
Attackers exploited it for drive-by attacks where visiting a compromised website triggers RCE and sandbox escape. Exploitation is ongoing, with CISA reinforcing alerts about active attacks. No user interaction beyond site visitation is required.
What is the emergency patch for CVE-2026-5281?
Google released Chrome version 146.0.7680.178 as an emergency update to fix this zero-day. Users should update immediately to mitigate risks. This patch addresses 21 vulnerabilities total, including the exploited flaw.
Has CISA issued warnings about CVE-2026-5281?
Yes, CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities (KEV) catalog and warned of active exploitation. They urge federal agencies and users to patch promptly. Alerts emphasize the drive-by nature of the attacks.
Is CVE-2026-5281 the first Chrome zero-day in 2026?
No, it is the fourth zero-day vulnerability patched in Chrome in 2026. Google has issued multiple security warnings this year for browser attacks. This highlights ongoing threats to Chrome's 3.5 billion users.
How can Chrome users protect themselves from CVE-2026-5281?
Update to Chrome version 146.0.7680.178 or later immediately via Help > About Google Chrome. Enable automatic updates and avoid suspicious websites. CISA and Google recommend applying patches without delay due to active exploitation.
What type of attack does CVE-2026-5281 enable?
It allows remote code execution (RCE) and sandbox escape via a UAF in Dawn/WebGPU. The drive-by nature means no clicks are needed—just loading a malicious page. This was exploited in the wild before patching.
How many vulnerabilities were fixed in the Chrome update for CVE-2026-5281?
Google patched 21 vulnerabilities in the update to version 146.0.7680.178, including the actively exploited zero-day CVE-2026-5281. This emergency release prioritizes high-severity issues amid ongoing threats. Users should update for full protection.
UAF Dawn/WebGPU in-wild drive-by RCE/sandbox escape; emergency patch v146.0.7680.178, CISA KEV; 4th zero-day 2026, ongoing exploitation alerts reinforced by CISA warnings.