Chrome WebGPU zero‑day
A critical Chrome WebGPU zero‑day tracked as CVE‑2026‑5281 is in the wild, and vendors are advising users to update affected browsers. The vulnerability highlights risk in browser‑exposed GPU surfaces used by web tooling and model dashboards. (mundobytes.com)
Web graphics is the browser feature that lets a site tap your computer’s graphics chip for heavy visual work. Google says attackers are already exploiting a flaw in that system in Chrome. (chromereleases.googleblog.com) The bug is tracked as CVE-2026-5281 and sits in Dawn, the code Chrome uses to talk to the graphics processor through WebGPU. The National Vulnerability Database says it is a “use after free” memory bug in Chrome versions before 146.0.7680.178. (nvd.nist.gov) A “use after free” bug is a case where software keeps using a chunk of memory after it has been released, like reading from a page that has already been torn out. In this case, the National Vulnerability Database says an attacker who had already compromised Chrome’s renderer process could execute arbitrary code with a crafted HTML page. (nvd.nist.gov) Google shipped the fix on March 31, 2026, in Chrome 146.0.7680.177 for Mac and Linux and 146.0.7680.177 or.178 for Windows. In the same advisory, Google said it was “aware that an exploit for CVE-2026-5281 exists in the wild.” (chromereleases.googleblog.com) The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026. That catalog entry gave federal civilian agencies until April 15, 2026, to apply fixes. (cisa.gov) WebGPU is the newer web standard that gives sites lower-level access to the graphics chip than older browser graphics tools. Browser makers added it for games, design apps, data visualization, and machine-learning tools that run in a tab instead of a desktop program. (developer.chrome.com) That extra access also widens the attack surface around the browser’s graphics path. The Chrome advisory lists the flaw as “High” severity, and the Singapore Cyber Security Agency said successful exploitation could let a remote attacker run code after compromising the renderer process. (chromereleases.googleblog.com) (csa.gov.sg) The issue is not limited to Google Chrome. Microsoft said its April 3, 2026 Stable Channel update for Edge 146.0.3856.97 contains the Chromium fix, and Vivaldi said its April 1, 2026 desktop and Android updates include a fix for CVE-2026-5281. (learn.microsoft.com) (vivaldi.com) For users, the practical step is simple: update any Chromium-based browser to a build that includes the March 31 fix, then restart it so the patch actually loads. The story here is not a new setting to toggle off, but an old browser rule that still holds when graphics features get more powerful: patch fast. (chromereleases.googleblog.com)
