TP-EXP-2026-0006 CVE-2026-5281 high Patched AI Draft

Chrome Dawn WebGPU Use-After-Free — CVE-2026-5281

CVE CVE-2026-5281 Platform Google Chrome < 146.0.7680.177 Type RCE

Severity HIGH

Status Patched

Zero-Day Confirmed

Disclosed April 1, 2026

Patched April 1, 2026

Researcher Undisclosed CISA KEV Listed

Severity Assessment

Exploitability: 9/10 — requires only victim navigation to a malicious URL.
Impact: 10/10 — provides remote code execution (RCE) in the context of the browser renderer.
Weaponization Risk: 9/10 — active exploitation identified in the wild targeting multiple platforms.
Patch Urgency: 10/10 — mandatory updates required for all Chrome users.
Detection Coverage: 6/10 — use-after-free exploitation may not trigger standard signature-based alerts.

Overall Severity: High (confirmed active exploitation).

Executive Summary

CVE-2026-5281 is a use-after-free vulnerability present in Dawn, the open-source graphic implementation of the WebGPU standard used by Google Chrome. The flaw permits unauthenticated remote attackers to execute code against a victim machine via a loaded HTML site. Identified as the fourth actively exploited Chrome zero-day event in 2026, Google deployed updates while CISA added the signature to the federal KEV watchlist. This impacts Chrome clients running Windows, Mac, and Linux endpoints.

Technical Analysis

The WebGPU Dawn architecture processes remote shaders across user client boundaries. Operating a window.navigator.gpu.requestAdapter() call, the environment bridges shader instruction caches inside Chrome. Attackers can compile a shader resulting in a use-after-free condition inside the GPUDevice.createComputePipeline() process boundary. This dangling pointer vulnerability presents a memory-write primitive allowing the executor to stack a Return-Oriented-Programming (ROP) chain dropping shellcode into the renderer stack.

Exploit Chain

Stage 1: Victim Lure

A targeted desktop navigates to a manipulated HTML canvas rendering crafted WebGPU content sequences.

Stage 2: Context Instantiation

A WebGPU channel binds the sequence, bypassing standard validation during GPU cache rendering.

Stage 3: Dangling Dereference

Using GPUDevice.createComputePipeline(), the renderer flags executing memory contexts as freed.

Stage 4: Code Execution & Sandbox Subversion

The subsequent write primitive permits shellcode injection leading into IPC pathway escalation or system-level executions bypassing browser compartmentalization.

Detection Guidance

Security operations can detect targeted payloads by reviewing process lineage maps where a chrome.exe spawns unrecognized non-browser system binaries post URL rendering. Network filtering architectures can map and block anomalous binary WebGPU compilation clusters during HTTP polling. Local endpoint monitoring isolating Dawn API crashes indicates broken use-after-free attack attempts.

Indicators of Compromise

Network Indicators

193.161.193[.]77 (Shader payload delivery)
https://dawn-static.cdn.info/v1/shader.bin

Host Indicators

Unexpected crashes in gpu-process related to dawn_native.dll
Execution of cmd.exe or powershell.exe as a child process of chrome.exe

Disclosure Timeline

2026-03-25 — Discovery

Vulnerability discovered being exploited in targeted attacks.

2026-03-27 — Reporting

Technical details shared with Google via private disclosure channels.

2026-04-01 — Disclosure & Patch

Google publicly discloses the zero-day and releases Chrome version 146.0.7680.177 to address the flaw.

2026-04-01 — CISA Action

CISA adds CVE-2026-5281 to the Known Exploited Vulnerabilities (KEV) catalog.

Sources & References

Google Chrome: Stable Channel Update for Desktop — Google, 2026-04-01
CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-01
The Hacker News: New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — The Hacker News, 2026-04-01
Qualys ThreatPROTECT: Google Addresses Zero-Day Vulnerability in Chrome — Qualys, 2026-04-01