New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Google دارت تحديث جديد لـ Chrome باش تسد ثغرة Zero-Day رقم CVE-2026-5281 اللي بدات كتستغل فعلياً
Google Patches New Chrome Zero-Day CVE-2026-5281 Exploited in the Wild
TL;DR
Google has released emergency security updates for Chrome to address CVE-2026-5281, a high-severity zero-day vulnerability in the Dawn component. The flaw is being actively exploited by attackers to execute arbitrary code. Users are urged to update to version 146.0.7680.177/178 immediately.
Google announced on Thursday the release of critical security updates for the Chrome web browser, addressing a total of 21 vulnerabilities. Chief among these is a high-severity zero-day flaw, tracked as CVE-2026-5281, which the company confirms is currently being exploited in the wild.
Understanding CVE-2026-5281: The Use-After-Free Flaw
The vulnerability is identified as a use-after-free (UAF) bug within Dawn, the open-source, cross-platform implementation of the WebGPU standard used by Chrome.
According to the NIST National Vulnerability Database (NVD), the flaw allows a remote attacker who has already compromised the renderer process to achieve arbitrary code execution. This is typically triggered when a user visits a specially crafted, malicious HTML page.
While the severity is marked as "High," a specific CVSS score has not yet been assigned.
Limited Details on Active Exploitation
In line with its standard security protocols, Google has refrained from sharing specific technical details regarding the nature of the attacks or the identity of the threat actors involved.
By withholding this information, Google aims to provide the majority of its user base time to apply the security patch, thereby preventing additional malicious actors from developing their own exploits based on the disclosed vulnerability.
"Google is aware that an exploit for CVE-2026-5281 exists in the wild," the company stated in its advisory.
A Growing Trend of Zero-Days
The discovery of CVE-2026-5281 marks a busy year for Google’s security teams. This is the fourth actively exploited zero-day patched in Chrome since the beginning of 2026.
Recent history includes:
- February 2026: Fixes for CVE-2026-2441, a UAF bug in the CSS component.
- Recently: Fixes for CVE-2026-3909 and CVE-2026-3910, two other high-severity flaws exploited in the wild.
Recommended Action: How to Update
To protect against potential exploitation, users must ensure they are running the latest version of the browser. The fixed versions are:
- Windows and macOS: 146.0.7680.177/.178
- Linux: 146.0.7680.177
To update Google Chrome manually:
- Open Chrome and click on the three vertical dots (More) in the top-right corner.
- Navigate to Help > About Google Chrome.
- Wait for the update to download and click Relaunch.
Furthermore, users of other Chromium-based browsers—such as Microsoft Edge, Brave, Opera, and Vivaldi—should remain vigilant and apply corresponding security updates as soon as they are made available by their respective developers.
Conclusion
As zero-day exploits become increasingly common, the speed of patching remains the most effective defense for end-users. With CVE-2026-5281 allowing for arbitrary code execution, this update should be treated as a priority for both individual users and IT administrators managing enterprise environments.
Source: The Hacker News
