TP-2026-0034 high Under Review C

Chrome WebGPU Zero-Day (CVE-2026-5281) — Fourth Actively Exploited in 2026

Date April 1, 2026
Attack Type Zero-Day Exploitation Sector Multi-Sector
Geography Global
Threat Actor Unknown
Attribution A4
CVEs CVE-2026-5281
Confidence C

Executive Summary

On April 1, 2026, Google released Chrome 146 containing a fix for CVE-2026-5281, a high-severity use-after-free vulnerability in Dawn (Chrome’s WebGPU implementation). Google confirmed that an exploit for this zero-day exists in the wild and is actively being exploited, making it the fourth independently exploited Chrome zero-day vulnerability patched in 2026.

Public details remain limited, but the NVD description states that CVE-2026-5281 allowed a remote attacker who had already compromised the renderer process to execute arbitrary code via a crafted HTML page. The CISA Known Exploited Vulnerabilities (KEV) catalog added CVE-2026-5281 on April 1, 2026, with a mandatory patch deadline of April 15, 2026 for Federal Civilian Executive Branch (FCEB) agencies.

The rapid succession of four Chrome zero-days in 2026 (averaging one per quarter) suggests an escalating threat trend targeting widespread browser adoption. This incident underscores the evolving sophistication of threat actors targeting Chrome infrastructure and the WebGPU API surface.

Technical Analysis

CVE-2026-5281 is a use-after-free vulnerability in Dawn, the open-source, cross-platform implementation of the WebGPU standard that underlies Chrome’s WebGPU functionality. The vulnerability stems from memory management flaws in Dawn’s resource binding and command buffer processing.

Exploitation leverages the WebGPU API surface exposed to web content. The attacker creates a WebGPU graphics context via navigator.gpu.requestAdapter() and adapter.requestDevice(), then submits specially crafted WebGPU command buffers that cause premature deallocation of GPU resource objects followed by subsequent memory access. Successful exploitation allows arbitrary machine code execution within the renderer process sandbox, potentially enabling sandbox escape via additional vulnerabilities.

Chrome versions 146.0.7680.176 and earlier on Windows, macOS, and Linux are vulnerable. The fix is available in Chrome 146.0.7680.177 (Windows and Linux) and 146.0.7680.178 (macOS). WebGPU provides low-level GPU access to web applications, enabling high-performance graphics rendering, compute operations, and machine learning workloads, which creates a broad attack surface for memory corruption vulnerabilities.

Attack Chain

Stage 1: Exploit Delivery

Attacker creates or compromises a website hosting the exploit. Victims are directed to the page via phishing, malvertising, or drive-by compromise.

Stage 2: WebGPU Context Creation

The malicious page executes WebGPU code that creates a graphics context and submits crafted command buffers triggering the use-after-free condition in Dawn.

Stage 3: Renderer Code Execution

Arbitrary code executes within the Chrome renderer process with the privileges of the logged-in user.

Stage 4: Post-Exploitation

Attacker deploys additional malware, exfiltrates credentials and data, or pivots to system-level compromise via sandbox escape.

Impact Assessment

With over 4.36 billion Chrome users as of March 2026, the potential victim population is enormous. Sectors at elevated risk include finance, defense, healthcare, and critical infrastructure, which are high-value targets for state-sponsored actors.

Successful exploitation results in arbitrary code execution within the renderer process. While the Chrome sandbox provides containment, additional sandbox escape vulnerabilities could escalate this to full system compromise. The unpatched exposure window extends from pre-April 1 exploitation through an expected 2-4 week enterprise patching lag.

Indicators of compromise include unexpected Chrome renderer process crashes, WebGPU API calls from suspicious web origins, unusual GPU memory allocation patterns, and command-and-control traffic from the Chrome process to external IPs immediately after navigation.

Historical Context

The specific threat actors exploiting CVE-2026-5281 have not been publicly identified. Google confirmed active in-the-wild exploitation but did not attribute the attacks to any named group. The sophistication required for WebGPU exploitation suggests state-sponsored actors or well-resourced cybercriminal groups.

The pattern of four Chrome zero-days in four months across diverse Chrome components (V8, Blink, PDF, WebGPU) indicates broad security assessment by threat actors across the Chrome codebase and advanced development infrastructure.

Timeline

Pre-April 2026 — Exploit Development

Unknown threat actors develop exploitation code for CVE-2026-5281 and deploy it in the wild via drive-by compromise or targeted campaigns.

2026-04-01 — Google Releases Chrome 146 with Patch

Google releases Chrome 146.0.7680.177/178 containing the fix. Official disclosure confirms active exploitation.

2026-04-01 — CISA KEV Addition

CISA adds CVE-2026-5281 to the Known Exploited Vulnerabilities catalog with April 15 mandatory remediation deadline for FCEB agencies.

2026-04-02 to 2026-04-14 — Enterprise Patching Window

Organizations deploy Chrome 146 patches across managed endpoints with varying progress by sector and organizational size.

2026-04-15 — FCEB Patching Deadline

Federal Civilian Executive Branch agencies must complete remediation of CVE-2026-5281 per CISA mandate.

Remediation & Mitigation

Patch Chrome to version 146.0.7680.177 or later (all platforms) within 48 hours. Implement compliance checks to confirm Chrome versions across all systems. If patching is delayed, disable WebGPU via Chrome policies using the flag —disable-features=WebGPU.

Deploy Chrome updates through enterprise management tools (Google Admin Console, Group Policy, MDM/Jamf, package managers) rather than relying on individual users. Monitor Chrome process creation events for unusual command-line arguments. Enable GPU-level memory access logging if supported by EDR platform.

Monitor for WebGPU API usage from unexpected web origins. Review browser cache for indicators of WebGPU exploit payloads. Alert on Chrome renderer process exceptions or segmentation faults. Restrict Chrome use to trusted internal web applications on systems unable to patch, and isolate those systems from internet-facing networks.

Sources & References

zero-daychromewebgpuuse-after-freecisa-kevbrowserdawndrive-by