CVE-2026-5281

HighCISA KEVActive Exploitation

Published: 01 April 2026

Published

01 April 2026

Modified

02 April 2026

KEV Added

01 April 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0107 77.8th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Description

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, testing, and installation of patches for known flaws, directly mitigating this use-after-free vulnerability via the Chrome update to 146.0.7680.178.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards like ASLR and DEP to protect against use-after-free exploitation in the Dawn WebGPU component.

SC-39 Process Isolation partial match

prevent

Provides process isolation through renderer sandboxing, containing arbitrary code execution to the compromised renderer process.

Security SummaryAI

CVE-2026-5281 is a use-after-free vulnerability (CWE-416) in the Dawn component of Google Chrome prior to version 146.0.7680.178. Dawn is a WebGPU implementation within Chromium, and the issue was assigned a High severity rating by the Chromium security team. It was published on 2026-04-01 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a remote attacker who has already compromised the renderer process in Chrome. Exploitation occurs through a crafted HTML page, enabling the attacker to execute arbitrary code. The attack requires user interaction, such as visiting a malicious webpage, but demands no special privileges and has low complexity over the network.

Google's Chrome Releases blog announces the stable channel update to version 146.0.7680.178, which addresses the issue. The flaw is tracked in Chromium issue 491518608. Mitigation centers on applying this patch promptly, as recommended in the advisories.

The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog, indicating real-world exploitation.

Details

CWE(s): CWE-416
KEV Date Added: 01 April 2026

Affected Products

google

chrome

≤ 146.0.7680.177

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Use-after-free vulnerability in Chrome's renderer (Dawn WebGPU) exploited via crafted HTML webpage for arbitrary code execution with user interaction (visiting malicious page), directly enabling Exploitation for Client Execution (T1203) and Drive-by Compromise (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html
Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/491518608
Issue Tracking, Permissions Required · chrome-cve-admin@google.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-5281
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0