Google has patched a zero-day vulnerability in Chrome that attackers are already exploiting — and this time, the target isn't JavaScript or the browser's networking stack. It's Dawn, the engine powering Chrome's next-generation graphics.
The flaw, tracked as CVE-2026-5281, is a use-after-free bug (a memory corruption error that occurs when a program continues referencing memory it has already freed) buried inside Dawn, Google's open-source implementation of the WebGPU standard.
According to NIST's National Vulnerability Database, a remote attacker who has already broken into Chrome's renderer process could exploit this flaw to execute arbitrary code through a specially crafted HTML page — meaning visiting the wrong website could be enough.
Google confirmed the obvious: an exploit is actively circulating. The company declined to share specifics about who is behind the attacks or how widespread they are, which is standard practice — details are withheld until most users are patched and threat actors can't simply piggyback on published techniques.
What makes this patch notable isn't just the zero-day. It's the context. CVE-2026-5281 is the fourth actively exploited Chrome zero-day Google has been forced to close in 2026 alone. The company previously patched CVE-2026-3909 and CVE-2026-3910 as zero-days, and in February, addressed CVE-2026-2441, a use-after-free in Chrome's CSS engine. That's roughly one weaponized Chrome zero-day per month this year.
Beyond the actively exploited flaw, Tuesday's update carries 21 security fixes in total — a heavy patch load dominated by high-severity issues. Use-after-free bugs appear across Dawn, WebGL, WebCodecs, Web MIDI, PDF handling, Navigation, and Compositing components. Multiple vulnerabilities were reported by the same anonymous researcher, hinting at coordinated security research campaigns targeting Chrome's graphics and media subsystems.
Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — share the same underlying code and are equally exposed until their respective vendors ship updates.
To update Chrome: open the menu (⋮), go to Help → About Google Chrome, and let the update download. Then hit Relaunch. Target version is 146.0.7680.177/178 on Windows and macOS, and 146.0.7680.177 on Linux.
Don't wait on this one.