Google patches CVE-2026-5281, the fourth actively exploited Chrome zero-day of 2026

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

Google pushed a new Chrome desktop security update to fix CVE-2026-5281, a high-severity use-after-free bug in Dawn (the WebGPU implementation used by Chromium).

Google explicitly states an exploit exists in the wild, which makes this an active-risk issue rather than a theoretical one.

Patched versions called out in the advisory:

Windows/macOS: 146.0.7680.177/.178
Linux: 146.0.7680.177

Why this matters

Web browsers are one of the most exposed apps on most devices. When a Chrome zero-day is actively exploited, attackers can chain it with other bugs to compromise sessions, steal data, or gain broader device access.

Even if your browser auto-updates, protection is incomplete until the updated browser is actually running (restart required in many cases).

How to check if you’re affected

You may be affected if you use Chrome desktop and your version is below:

146.0.7680.177 (Linux)
146.0.7680.177/.178 (Windows/macOS)

Quick verification steps:

Open Chrome and go to Menu → Help → About Google Chrome.
Confirm your installed version is at or above the patched build for your OS.
If an update is available, install it and relaunch Chrome.
For managed environments, verify endpoint inventory/MDM reports the patched version across fleet devices.
If you use Chromium-based alternatives (Edge, Brave, Opera, Vivaldi), track and apply their corresponding security releases too.

Immediate defensive actions

Force browser restart prompts where possible so updates become active quickly.
Prioritize patching high-risk users first (admins, finance, privileged internal tools).
Monitor for suspicious browser-child process behavior and unusual credential/session activity.

Sources

Bottom line

Treat CVE-2026-5281 as a patch-now browser risk. Confirm both installation and restart so patched binaries are actually in use.