Chrome zero‑day active

Google pushed out an emergency Chrome update at the end of March after discovering that attackers were already using a newly disclosed browser bug in real attacks. In Google’s own release note, the company said “an exploit for CVE-2026-5281 exists in the wild,” which is the phrase security teams use when a flaw has moved from lab curiosity to live weapon. The fix shipped in Chrome 146.0.7680.178 for desktop, with the rollout starting on March 31, 2026. (chromereleases.googleblog.com) The bug sits in Dawn, a graphics component that helps Chrome implement WebGPU, the part of the browser that lets websites tap the computer’s graphics hardware for fast visual and computing work. The official U.S. vulnerability record describes CVE-2026-5281 as a “use after free” flaw in Dawn. In plain English, that means Chrome could keep using a piece of memory after that memory had already been released for something else. If an attacker can line that up just right, the browser may start following bad instructions. (nvd.nist.gov) This was not the kind of bug that lets any random webpage instantly take over a machine. The NVD entry says the flaw could let “a remote attacker who had compromised the renderer process” run code through a crafted HTML page. That detail matters. Chrome is built in layers, and the renderer is the part that draws and runs a webpage inside a tight box. Attackers often need one bug to get into that box and a second bug to break out of it. CVE-2026-5281 appears to be the second kind: the bug that can turn a foothold inside the browser into something more dangerous. (nvd.nist.gov) Google did not publish a full technical write-up, and that restraint is deliberate. Chrome release notes routinely hold back details when users are still patching, because a precise map of the flaw would also help attackers who have not yet built an exploit. In this case, Google disclosed the existence of the bug, named the affected component, and confirmed active exploitation, but left much of the attack chain unsaid. (chromereleases.googleblog.com) Security outlets quickly framed the update as urgent, not routine. BleepingComputer reported that this was the fourth Chrome zero-day Google had patched in 2026. The Hacker News said the March 31 release fixed 21 security issues in all, with CVE-2026-5281 the one already under attack. That pattern is part of the story: browsers are no longer just windows onto the web. They are where people log into school systems, payroll portals, email, cloud drives, and admin consoles. A bug in the browser is often a bug in the front door. (bleepingcomputer.com) (thehackernews.com) The practical advice is simple. Update Chrome, then make sure the browser actually restarted so the new version is running. Google’s patched desktop build is 146.0.7680.178 or later, released on March 31, 2026. The warning was short, but it was unusually blunt: attackers already had working code before many users even knew the bug existed. (chromereleases.googleblog.com)