Google Patches Fourth Chrome Zero-Day of 2026

Google released an emergency Chrome update to address CVE-2026-5281, a use-after-free vulnerability in Dawn being actively exploited in the wild. This marks the fourth Chrome zero-day patched this year—and we're only in April.

Dawn is Chrome's cross-platform implementation of the WebGPU standard, the next-generation graphics API designed to replace WebGL. The vulnerability allows attackers to trigger browser crashes, data corruption, and potentially arbitrary code execution through maliciously crafted web content.

Patch Details

Google pushed the following versions to address the flaw:

• Windows: Chrome 146.0.7680.178
• macOS: Chrome 146.0.7680.177/178
• Linux: Chrome 146.0.7680.177

The company warned that full deployment "could require days or weeks," though the update was immediately available through manual update checks at the time of publication. Users should navigate to chrome://settings/help to force an update rather than waiting for automatic rollout.

Limited Disclosure

Google confirmed awareness of active exploitation but, as usual, withheld technical specifics. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the advisory stated. This approach gives defenders time to patch before exploit details become widely available.

The lack of attribution or incident details leaves open questions about who's exploiting this flaw and how. State-sponsored actors, commercial spyware vendors, and financially motivated groups have all leveraged Chrome zero-days in recent years.

2026's Chrome Zero-Day Trend

The pace of Chrome zero-day exploitation has been aggressive this year. Before CVE-2026-5281, Google already patched:

• CVE-2026-2441 (February): An iterator invalidation bug in CSSFontFeatureValuesMap
• CVE-2026-3909 (March): Out-of-bounds write in the Skia 2D graphics library
• CVE-2026-3910 (March): Inappropriate implementation in the V8 JavaScript engine

We previously covered the Skia and V8 vulnerabilities when CISA added them to the Known Exploited Vulnerabilities catalog. The addition of a fourth zero-day before Q2 suggests attackers are investing heavily in browser exploitation research.

Why WebGPU Matters

Dawn sits at an interesting intersection of capability and attack surface. WebGPU provides web applications direct access to GPU hardware, enabling graphics-intensive applications and machine learning workloads to run in the browser. That power comes with complexity—and complexity breeds vulnerabilities.

Use-after-free bugs in graphics APIs are particularly valuable to attackers. These components handle complex memory operations, making them fertile ground for memory corruption issues. Successful exploitation can break out of browser sandboxes and achieve code execution on the underlying system.

What Security Teams Should Do

For most organizations, the immediate action is simple: ensure Chrome updates are deploying across your fleet. But the broader pattern deserves attention.

1. Audit browser update policies - If you're not on the latest Chrome version within 48 hours of release, you're carrying unnecessary risk
2. Consider enterprise management tools - Chrome Enterprise offers granular control over update timing and deployment
3. Monitor for indicators - Watch for unusual browser crashes or rendering artifacts that could signal exploitation attempts
4. Review WebGPU usage - Some organizations may choose to disable WebGPU via policy until the threat landscape stabilizes

The accelerating pace of Chrome zero-days also raises questions about browser monoculture. With Chrome commanding roughly 65% of browser market share, vulnerabilities affect a massive portion of the internet's users simultaneously.

Looking Ahead

Four zero-days in four months isn't a good trajectory. Chrome's security team operates one of the industry's most sophisticated vulnerability management programs, but they're playing whack-a-mole against well-resourced adversaries.

The silver lining is Google's rapid response time. When exploitation is confirmed, patches typically arrive within days. The challenge is the deployment gap—the period between patch availability and universal adoption. That window is when most exploitation occurs.

Organizations should treat Chrome updates as critical security patches, not convenience features. The days of "we'll update during the next maintenance window" don't account for active exploitation scenarios.

For individual users: update Chrome now. Check manually if you haven't received the prompt. The attackers already have working exploits—don't give them more time to use them.