Google has issued an emergency security update for its Chrome browser to address an actively exploited zero-day vulnerability, tracked as CVE-2026-5281. Users are strongly advised to update their browsers immediately.
Understanding CVE-2026-5281
The vulnerability is a use-after-free (UAF) flaw located in Dawn, the open-source and cross-platform implementation of WebGPU used in Chrome. WebGPU is a modern web API designed to provide high-performance 3D graphics and data-parallel computation on the web.
A use-after-free vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed. In the context of a browser, an attacker can craft a malicious HTML page or script that triggers this memory corruption. When a victim visits the compromised page, the attacker can execute arbitrary code within the context of the browser. This could lead to a complete system compromise if the attacker escapes the browser sandbox.
Google’s Threat Analysis Group (TAG) confirmed that an exploit for CVE-2026-5281 exists in the wild, though specific details of the attacks have been withheld to allow users time to patch.
How to check if you’re affected
- Desktop Users (Windows, Mac, Linux):
- Open Google Chrome.
- Click the three vertical dots (menu) in the top-right corner.
- Go to
Help > About Google Chrome. - The browser will automatically check for updates and begin downloading the patched version (typically version 145.0.x.x or later).
- Click the “Relaunch” button to apply the update.
- Chromium-based Browsers: If you use Edge, Brave, Vivaldi, or Opera, be on the lookout for equivalent updates, as they share the same underlying Chromium engine and are likely vulnerable.