Google Issues Zero-Day Alert For 3.5 Billion Chrome Users

Google pushed a Chrome security update on March 31 to fix CVE-2026-5281, a zero-day the company tied to active exploitation. Google shipped the fix in Chrome 146.0.7680.177/178 on Windows and macOS and 146.0.7680.177 on Linux.

Google is aware that an exploit for CVE-2026-5281 exists in the wild.

— Google security advisory

Google described CVE-2026-5281 as a "use-after-free (UAF) in Dawn", the WebGPU implementation used by Chromium. Google said the desktop update includes "21" security fixes, with most entries listed as routine memory safety bugs and sandbox hardening work.

What Google lists as affected

Chrome versions "before v146.0.7680.177/178" on Windows and macOS are listed as affected in Google's post. Chrome versions "before v146.0.7680.177" on Linux are also listed as affected.

Google listed the fixed builds as "146.0.7680.177/178". Google also warned that "access to bug details and links may be kept restricted until a majority of users are updated with a fix".

Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

— Google security advisory

What CVE-2026-5281 does

Google's release note describes the exploitation path in one line. A "remote attacker who compromised the renderer process can execute arbitrary code via a crafted HTML page", the brief said.

MITRE tracks the bug class as CWE-416, "Use After Free". MITRE describes the category as code continuing to access memory after it has been freed.

Dawn is Google's open-source WebGPU implementation. WebGPU is the browser API that exposes modern graphics and compute features to web content, and Dawn sits between the web-facing API and the lower-level GPU backends that differ across Windows, macOS and Linux.

Why Dawn sits on the hot path

Dawn is not a user-facing product name, and it shows up in advisories when the vulnerability lives below the Chrome UI layer. Dawn is the code that translates a website's WebGPU calls into driver-facing work across different platforms, and the brief ties CVE-2026-5281 to that translation layer rather than to a single web feature toggle.

Google also used the same precondition language seen in other Chrome advisories in 2026. Google framed the attacker model as a renderer compromise and the impact as "execute arbitrary code" via "crafted HTML", and the brief repeats that phrasing when describing CVE-2026-5281.

Government advisories and deadlines

CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026. CISA listed an "April 15, 2026" patch deadline for US federal agencies.

Singapore's Cyber Security Agency also issued guidance. Singapore CSA listed the issue in advisory "AL-2026-029" and referenced the same Chrome 146 stable update.

Chromium browsers beyond Chrome

Chromium is the shared codebase for a long list of browsers, and the brief lists "all Chromium-based browsers" as affected. Microsoft Edge, Vivaldi, Brave and Opera are named in the brief as impacted browsers that track Chromium releases.

Vivaldi is "already patched", the brief said. Microsoft is "working on" an Edge fix, according to the same brief.

A familiar reporter hash

Google credited the report to a pseudonymous researcher listed as "86ac1f1587b71893ed2ad792cd7dde32". The brief ties the same handle to earlier Chrome disclosures, including CVE-2026-4675 and CVE-2026-4676.

Four actively exploited zero-days in 2026

CVE-2026-5281 is the "fourth actively exploited Chrome zero-day in 2026", the brief said. CVE-2026-2441 landed in February as a CSS use-after-free, and March added CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation in V8.

Google fixed "8" Chrome zero-days across 2025, the brief said. Google also has a larger installed base than most security advisories assume, with the brief citing "3.5 billion" Chrome users.

What security teams are checking

Chrome version strings are the first check in most enterprise dashboards after an active exploitation advisory. Windows and macOS fleets are looking for 146.0.7680.177 or 146.0.7680.178, and Linux fleets are looking for 146.0.7680.177.

CISA KEV entries add a second clock for many organisations that track the catalog as a control list. April 15, 2026 is the listed deadline, and that date often becomes the internal milestone for patch validation, exception handling, and reporting.

Google framed the exploit precondition as a compromised renderer process. Google also paired that precondition with the same outcome language used in the brief, "execute arbitrary code" via a crafted web page, and that is the standard red flag line for browser incident response teams.

What the advisory does not include

Google did not name a target set, a campaign name, or an attacker group in the March 31 post. Google stayed at the level of the CVE identifier, the component name, and the statement that an exploit exists in the wild.

Dawn is the only component called out by name for CVE-2026-5281, and the brief labels the severity as "High" with "CVSS score not yet assigned". CISA and Singapore CSA entries point readers back to the same stable channel builds and the same restriction note from Google's advisory.