Google pushed a security update for Chrome on Thursday, April 1, 2026, fixing 21 vulnerabilities. One of them, tracked as CVE-2026-5281, is a high-severity zero-day flaw already being exploited by attackers in the wild.
Google confirmed this in its release notes, stating it is aware an exploit for the vulnerability exists.
The flaw is a use-after-free bug in Dawn, Google’s open-source implementation of the WebGPU standard. Google did not share details on who is exploiting the flaw or how, which is standard practice. The company withholds specifics until most users have updated, to prevent other attackers from taking advantage of the same weakness.
This is the fourth Chrome zero-day Google has patched since January 2026. In March, the company fixed two high-severity flaws, CVE-2026-3909 and CVE-2026-3910, both exploited as zero-days. In February, Google addressed CVE-2026-2441, another use-after-free bug in Chrome’s CSS component, also under active exploitation. The pace of zero-day patches this year signals ongoing, targeted interest from threat actors in Chrome’s attack surface.
“Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD).
According to NIST’s National Vulnerability Database, the bug allowed a remote attacker who had already compromised the browser’s renderer process to run arbitrary code through a specially crafted HTML page. In simple terms, visiting a malicious webpage was enough to trigger the attack.
Users on Windows and macOS should update to Chrome version 146.0.7680.177 or 146.0.7680.178. Linux users should update to version 146.0.7680.177. To check your version, go to More, then Help, then About Google Chrome, and click Relaunch after the update downloads.
If you use a Chromium-based browser like Microsoft Edge, Brave, Opera, or Vivaldi, you should apply the corresponding patches as soon as your browser releases them. These browsers share Chrome’s underlying code and are affected by the same vulnerability.
