CISA KEV ALERTCVE-2026-5281 Chrome Zero-Day Exploited in Wild — UPDATE ALL CHROMIUM BROWSERS IMMEDIATELY
CYBERDUDEBIVASH SENTINEL APEX
● Zero-Day CISA KEV Listed Drive-By Exploit All Chromium Browsers Fixed Mar 31/Apr 1 2026 CYBERDUDEBIVASH SENTINEL APEX 22 April 2026

CVE-2026-5281 — Google Chrome
Use-After-Free in Dawn WebGPU Engine
Renderer Process Escape | CISA KEV | All Chromium-Based Browsers at Risk

A critical use-after-free vulnerability in Chrome's Dawn WebGPU implementation allows a remote attacker who has compromised the renderer process — trivially achievable via a crafted malicious webpage — to execute arbitrary code at the browser process privilege level. Actively exploited as a zero-day since before March 31, 2026. CISA added to Known Exploited Vulnerabilities catalog on April 1, 2026 with a federal remediation deadline of April 15, 2026. Every unpatched Chromium-based browser is exposed to drive-by compromise via a single malicious web visit.

High
Severity — CVE-2026-5281
ZERO-DAY / EXPLOITED
CVE IDCVE-2026-5281
Vulnerability TypeUse-After-Free (CWE-416)
ComponentDawn WebGPU Engine
Exploited in WildYES (Pre-Patch)
CISA KEV DateApril 1, 2026
Federal DeadlineApril 15, 2026
Fixed VersionChrome 146.0.7680.177/178
Attack VectorRemote — Visit Malicious Page
🚫

Executive Summary

CVE-2026-5281 is a use-after-free (UAF) memory corruption vulnerability discovered in Dawn, Google's cross-platform implementation of the WebGPU graphics API that ships as part of the Chromium rendering engine. WebGPU is a modern GPU-accelerated graphics API designed to replace WebGL, enabling web applications to execute high-performance compute and rendering tasks directly on the host GPU. The ubiquity of WebGPU support in modern browsers — combined with the complexity and attack surface of GPU resource management — makes this class of vulnerability particularly dangerous and difficult to mitigate without patching.

The practical exploitation scenario is a classic drive-by compromise: an attacker hosts a webpage containing JavaScript that invokes malformed WebGPU API calls in a sequence designed to trigger the UAF condition in the Dawn GPU process. When a victim browses to this page using an unpatched Chrome or Chromium-based browser, the UAF corruption provides the attacker with an arbitrary read/write primitive within the GPU process memory. Chained with a second-stage sandbox escape technique targeting the browser's GPU process IPC boundaries, this achieves code execution at the browser process privilege level — enabling installation of malware, credential theft via keylogging, and access to all browser-stored secrets including session cookies and saved passwords.

The severity of this vulnerability is compounded by the breadth of affected browsers. Dawn WebGPU is not exclusive to Google Chrome — it is the shared graphics infrastructure underlying all Chromium-based browsers, including Microsoft Edge, Brave, Opera, Vivaldi, Samsung Internet, and dozens of embedded browser implementations. Organizations that address Chrome patching but fail to update Edge and other Chromium derivatives remain exposed. CYBERDUDEBIVASH SENTINEL APEX strongly advises treating this as a cross-browser fleet-wide patching event with zero exceptions.

The discovery of four related UAF vulnerabilities in Dawn within the same release cycle (CVE-2026-4675, CVE-2026-4676, CVE-2026-5281, CVE-2026-5284) suggests that either a coordinated security research effort or, more concerningly, a sophisticated threat actor performed a comprehensive audit of Dawn's memory management. The clustering of UAF discoveries in a single graphics subsystem strongly implies that additional undisclosed vulnerabilities in Dawn may exist. CYBERDUDEBIVASH SENTINEL APEX assesses with moderate confidence that variant hunting in Dawn's resource lifecycle management code should be an immediate priority for both offensive researchers and defensive organizations using WebGPU-heavy applications.

Technical Overview — Dawn WebGPU UAF

Dawn Architecture and WebGPU Attack Surface

Dawn is Google's open-source implementation of the WebGPU standard (a W3C specification), written in C++ and operating as a privileged component within Chrome's multi-process architecture. In Chrome's process model, the GPU process runs with elevated privileges relative to the renderer process — it can directly access GPU hardware and kernel graphics drivers. The renderer process (which executes JavaScript and renders web content) communicates with the GPU process via a serialized IPC channel using the WGSL shader language and WebGPU API command buffers.

// Simplified Dawn WebGPU resource lifecycle — CVE-2026-5281 UAF pattern
// Vulnerability exists in dawn/src/dawn/native/Buffer.cpp (pre-patch)

// JavaScript attacker-controlled WebGPU API call sequence:
const adapter = await navigator.gpu.requestAdapter();
const device = await adapter.requestDevice();

// Step 1: Create GPU buffer — Dawn allocates backend resource
const buf = device.createBuffer({
  size: 0x1000,
  usage: GPUBufferUsage.STORAGE | GPUBufferUsage.COPY_DST
});

// Step 2: Queue map operation — increments reference asynchronously
buf.mapAsync(GPUMapMode.READ);

// Step 3: Destroy buffer BEFORE map callback fires
// Dawn decrements ref count → reaches zero → frees backend memory
buf.destroy();

// Step 4: Map callback fires referencing freed buffer object
// → USE-AFTER-FREE in Dawn::native::Buffer::OnMapRequestCompleted()
// → Attacker controls freed memory via heap spray of CommandBuffer objects
// → Arbitrary R/W primitive in GPU process address space

Sandbox Escape Chain

GPU Process Privilege Context
Chrome's GPU process runs with higher privileges than the renderer process but is separate from the browser process. In the standard browser sandbox model: Renderer (most restricted) → GPU Process (GPU access, limited filesystem) → Browser Process (full OS access). CVE-2026-5281 enables attacker code execution in the GPU process, bypassing the renderer sandbox. A second vulnerability or GPU driver exploit is typically needed to escape the GPU process to full OS access — active exploit chains combine CVE-2026-5281 with a GPU driver privilege escalation or browser process IPC vulnerability.

Related Dawn UAF Vulnerabilities — April 2026 Cluster

CVE-2026-4675
Use-After-Free in Dawn — Texture object destruction race condition. Fixed Chrome 146.0.7680.177.
CVE-2026-4676
Use-After-Free in Dawn — CommandEncoder lifecycle during device loss. Fixed Chrome 146.0.7680.177.
CVE-2026-5281
Use-After-Free in Dawn — Buffer mapAsync/destroy race. CISA KEV. Exploited in wild. This report.
CVE-2026-5284
Use-After-Free in Dawn — BindGroup invalidation after pipeline destroy. Fixed Chrome 146.0.7680.178.

Exploit Chain: From HTML to Code Execution

1
Victim Visits Attacker-Controlled Webpage
Victim navigates to a malicious URL delivered via spearphishing, malvertising, SEO poisoning, or compromised legitimate website. No user interaction beyond the page load is required. JavaScript executes automatically.
2
WebGPU Feature Detection & Browser Fingerprinting
Exploit JavaScript checks for WebGPU support (navigator.gpu presence), identifies Chrome version, and queries GPU adapter capabilities to tailor the heap spray parameters to the specific target hardware/software configuration. Falls back gracefully if WebGPU is unavailable to avoid arousing suspicion.
3
Heap Spray and UAF Trigger in Dawn GPU Process
JavaScript executes the malformed buffer lifecycle sequence (create → mapAsync → destroy) to trigger the UAF in Dawn's Buffer::OnMapRequestCompleted(). Concurrent heap spray with CommandBuffer-sized allocations reclaims the freed memory, placing attacker-controlled data at the dangling pointer location.
4
Arbitrary Read/Write in GPU Process
Controlled UAF provides an arbitrary read/write primitive within the GPU process address space. Attacker uses this to defeat ASLR (by leaking heap/module base addresses), then overwrites a virtual function table pointer in a Dawn object to redirect GPU process execution flow to attacker shellcode.
5
GPU-to-Browser Process Escape (Stage 2)
With code execution in the GPU process, attacker exploits weaknesses in Chrome's GPU process IPC deserialization or a local GPU driver vulnerability to escape to browser process privileges. At this stage, attacker has full access to the victim's file system at the browser's privilege level, all browser-stored credentials, active session cookies, and can inject malware into OS startup.
6
Payload Delivery & Persistence
Malware payload is dropped to disk and establishes persistence via scheduled tasks, registry Run keys, or browser extension installation. In observed active exploitation, payloads include infostealer variants (targeting crypto wallets, session tokens, corporate VPN credentials) and RATs for persistent remote access.

Affected Browsers — Patch Status Matrix

BrowserBased OnVulnerable VersionFixed VersionStatus
Google Chrome (Win/Mac) Chromium 146 Before 146.0.7680.177 146.0.7680.177/178 FIXED
Google Chrome (Linux) Chromium 146 Before 146.0.7680.177 146.0.7680.177 FIXED
Microsoft Edge Chromium 146 Before Edge 146 equivalent Chromium 146.0.7680.177+ FIXED (Apply Updates)
Brave Browser Chromium 146 Before Chromium 146.0.7680.177 Chromium 146.0.7680.177+ FIXED (Apply Updates)
Opera Chromium 146 Chromium core pre-patch Updated Chromium core FIXED (Apply Updates)
Vivaldi Chromium 146 Chromium core pre-patch Updated Chromium core FIXED (Apply Updates)
Electron-based Apps Chromium Embedded Any using pre-patch Chromium Electron v33+ (Chromium 130+) CHECK VENDOR
🏴

MITRE ATT&CK Mapping

Tactic Technique ID Relevance
Initial Access Drive-by Compromise T1189 Victim visits attacker-controlled or compromised legitimate website. No user interaction beyond navigation required.
Execution Exploitation for Client Execution T1203 UAF in Dawn WebGPU enables code execution within Chrome's GPU process via malformed WebGPU API calls from JavaScript.
Execution Command and Scripting Interpreter: JavaScript T1059.007 Entire exploit chain is delivered and executed via browser-side JavaScript. No file download required to trigger vulnerability.
Privilege Escalation Exploitation for Privilege Escalation T1068 UAF in GPU process combined with browser process escape elevates from renderer sandbox to full browser/OS process privileges.
Credential Access Steal Web Session Cookie T1539 Post-exploitation access to browser process allows extraction of all session cookies including HttpOnly cookies inaccessible to JavaScript.
Credential Access Credentials from Password Stores: Credentials from Web Browsers T1555.003 Browser process access enables decryption of Chrome's LocalState DPAPI-protected credential store.
Persistence Browser Extensions T1176 Observed payloads include malicious Chrome extension installation for persistent monitoring of browsing activity, form data, and credentials.
🔎

Indicators of Compromise

TypeValue / PatternConfidence
Process chrome.exe (GPU process — --type=gpu-process) spawning cmd.exe, powershell.exe, or rundll32.exe as child processes HIGH
Process chrome.exe GPU process crash (--type=gpu-process) followed immediately by new chrome.exe process with --no-sandbox flag HIGH
WebGPU API navigator.gpu.requestAdapter() called followed by rapid createBuffer + mapAsync + destroy cycle (<5ms between operations) in browser JS logs HIGH
Crash Dump Chrome crash report with dawn_native.dll frame at Buffer::OnMapRequestCompleted or similar Dawn callback functions — exception code 0xC0000005 (ACCESS_VIOLATION) HIGH
Network Outbound HTTP/S beacon from chrome.exe or GPU process to non-update.googleapis.com domains immediately following WebGPU-heavy page load MEDIUM
File System Unexpected .exe or .dll files written to %TEMP%, %APPDATA%\Local\Google\Chrome\, or %LOCALAPPDATA% by chrome.exe process HIGH
Registry HKCU\Software\Google\Chrome\Extensions\ — new extension ID not matching known Google Web Store pattern; unsigned or force-installed extension HIGH
Network DNS lookup for domains serving .wasm or .js files with WebGPU shader code (>50KB) immediately followed by process crash telemetry MEDIUM
💻

YARA Detection Rule

YARA — CVE-2026-5281 Chrome Dawn WebGPU UAF Detection
rule CVE_2026_5281_Chrome_Dawn_WebGPU_UAF_Exploit
{
    meta:
        description   = "Detects CVE-2026-5281 Chrome Dawn WebGPU Use-After-Free exploitation in memory and JS artifacts"
        author        = "CYBERDUDEBIVASH SENTINEL APEX — CyberDudeBivash Intelligence Platform"
        date          = "2026-04-22"
        cve           = "CVE-2026-5281"
        severity      = "HIGH — CISA KEV — EXPLOITED IN WILD"
        related       = "CVE-2026-4675, CVE-2026-4676, CVE-2026-5284"
        blog          = "https://blog.cyberdudebivash.in"
        reference     = "https://intel.cyberdudebivash.com"

    strings:
        // WebGPU exploit JavaScript pattern: rapid buffer lifecycle abuse
        $wgpu_exploit_1 = "mapAsync" ascii
        $wgpu_exploit_2 = "GPUBufferUsage.STORAGE" ascii
        $wgpu_exploit_3 = "buf.destroy()" ascii
        $wgpu_create    = "createBuffer" ascii

        // Dawn internal crash signatures in memory dumps
        $dawn_crash_1   = "dawn_native.dll" ascii
        $dawn_crash_2   = "dawn::native::Buffer::OnMapRequestCompleted" ascii
        $dawn_crash_3   = "dawn_proc_device_create_buffer" ascii wide

        // GPU process crash + sandbox flags
        $gpu_proc_1     = "--type=gpu-process" ascii wide
        $no_sandbox     = "--no-sandbox" ascii wide

        // Exploit payload dropper signature (typical post-exploit behavior)
        $shell_drop_1   = "powershell -enc" ascii nocase
        $shell_drop_2   = "cmd /c start" ascii nocase
        $shell_drop_3   = { 50 6F 77 65 72 53 68 65 6C 6C 20 2D 57 69 6E 64 6F 77 53 74 79 6C 65 20 68 69 64 64 65 6E }

        // WebGPU API abuse in HTML/JS files
        $wgpu_adapter   = "navigator.gpu.requestAdapter" ascii
        $wgpu_device    = "requestDevice" ascii
        $wgpu_heap_spray = "new Array(" ascii

    condition:
        // JavaScript exploit: WebGPU API abuse pattern in .js/.html
        ( $wgpu_adapter and $wgpu_exploit_1 and $wgpu_exploit_2 and $wgpu_exploit_3 and $wgpu_create and $wgpu_heap_spray )
        or
        // Memory forensics: Dawn crash artifact
        ( $dawn_crash_1 and ($dawn_crash_2 or $dawn_crash_3) )
        or
        // GPU process sandbox bypass
        ( $gpu_proc_1 and $no_sandbox )
        or
        // Post-exploitation payload drop indicators
        ( $dawn_crash_1 and ($shell_drop_1 or $shell_drop_2 or $shell_drop_3) )
}
📈

Detection Strategy — SIEM Queries

The following queries detect active exploitation of CVE-2026-5281 through process behavior anomalies, crash telemetry, and network indicators. Chrome's GPU process does not normally spawn child processes — any such activity is a high-fidelity exploitation indicator.

Microsoft Sentinel (KQL)
// CVE-2026-5281 — Chrome GPU process spawning child processes (high confidence IOC) DeviceProcessEvents | where InitiatingProcessFileName =~ "chrome.exe" | where InitiatingProcessCommandLine has "--type=gpu-process" | where FileName in~ ("cmd.exe","powershell.exe","mshta.exe","wscript.exe","cscript.exe","rundll32.exe","regsvr32.exe") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc // Unpatched Chrome version detection (CVE-2026-5281 exposure) DeviceNetworkEvents | where InitiatingProcessFileName =~ "chrome.exe" | where InitiatingProcessVersionInfoProductVersion !startswith "146.0.7680.177" and InitiatingProcessVersionInfoProductVersion !startswith "146.0.7680.178" and InitiatingProcessVersionInfoProductVersion !startswith "147." | distinct DeviceName, InitiatingProcessVersionInfoProductVersion | project DeviceName, ChromeVersion = InitiatingProcessVersionInfoProductVersion | extend VulnerableStatus = "UNPATCHED - CVE-2026-5281 EXPOSED" // Chrome crash with GPU process and immediate outbound connection let gpu_crashes = DeviceProcessEvents | where FileName =~ "WerFault.exe" | where ProcessCommandLine has "chrome.exe" | project CrashTime = TimeGenerated, DeviceName, ProcessCommandLine; let network_after_crash = DeviceNetworkEvents | where InitiatingProcessFileName =~ "chrome.exe" | project NetTime = TimeGenerated, DeviceName, RemoteUrl, RemoteIP; gpu_crashes | join kind=inner network_after_crash on DeviceName | where abs(datetime_diff('second', CrashTime, NetTime)) < 120 | where RemoteUrl !has "google.com" and RemoteUrl !has "googleapis.com" | project CrashTime, DeviceName, RemoteUrl, RemoteIP, ProcessCommandLine
Splunk (SPL)
// CVE-2026-5281 — GPU process child process spawning index=sysmon EventCode=1 ParentCommandLine="*--type=gpu-process*" (Image="*cmd.exe" OR Image="*powershell.exe" OR Image="*mshta.exe" OR Image="*wscript.exe") | table _time, host, user, ParentCommandLine, Image, CommandLine | sort -_time // Unpatched Chrome/Edge browsers in fleet (CVE-2026-5281 risk) index=software_inventory (product_name="Google Chrome" OR product_name="Microsoft Edge" OR product_name="Brave Browser") NOT (version="146.0.7680.177*" OR version="146.0.7680.178*" OR version="147.*") | stats count BY host, product_name, version | rename version AS "Vulnerable_Version" | sort host // Chrome crash followed by network beacon (post-exploit) index=wineventlog EventCode=1001 Message="*chrome.exe*" Message="*gpu-process*" | join type=inner host [ search index=proxy_logs sourcetype=bluecoat NOT (domain="*.google.com" OR domain="*.googleapis.com" OR domain="*.gstatic.com") | where _time > relative_time(now(), "-5m") ] | table _time, host, Message, domain, url
Elastic (EQL / KQL)
// CVE-2026-5281 — Elastic EQL: GPU process spawning shell sequence by host.name with maxspan=30s [process where process.name == "chrome.exe" and process.args contains "--type=gpu-process"] [process where process.name in ("cmd.exe","powershell.exe","mshta.exe") and process.parent.name == "chrome.exe"] // Unpatched Chrome version detection process where process.name == "chrome.exe" AND NOT process.pe.product_version >= "146.0.7680.177" AND event.type == "start" // WebGPU crash artifact file creation file where file.path like ("%\\Minidump\\*.dmp") AND process.name == "chrome.exe" AND NOT file.size < 1000 | sort @timestamp desc
🛡

Defensive Actions — Priority Ordered

  • 1
    IMMEDIATE: Update ALL Chromium-based browsers to latest version across entire fleet — Update Google Chrome to version 146.0.7680.177 or later (stable channel release March 31/April 1, 2026). Critically, do not limit this to Chrome — also update Microsoft Edge, Brave, Opera, Vivaldi, and any other Chromium-based browser in your organization. Use browser management policies (Chrome Browser Cloud Management, Intune for Edge) to force-update and verify compliance. An unpatched Edge on a fully-patched Chrome system still represents an active vulnerability.
  • 2
    FEDERAL AGENCIES: Mandatory remediation per CISA BOD 22-01 — Deadline April 15, 2026 — All U.S. federal agencies are under mandatory CISA BOD 22-01 remediation requirements. CISA added CVE-2026-5281 to the KEV catalog on April 1, 2026 with a 14-day remediation deadline. Compliance reporting to CISA required. Private sector organizations should use April 15 as an internal deadline benchmark.
  • 3
    Consider disabling WebGPU via Enterprise Policy until patching is confirmed complete — For organizations unable to patch immediately, WebGPU can be disabled via browser enterprise policy (Chrome: ChromeVariations or WebGPU policy; Edge: WebGPU Group Policy). This disables the WebGPU API and removes the primary attack vector for CVE-2026-5281, CVE-2026-4675, CVE-2026-4676, and CVE-2026-5284 simultaneously. Note: this will break legitimate WebGPU-dependent web applications.
  • 4
    Deploy endpoint detection for GPU process child process creation — Immediately deploy the SIEM/EDR rules in this report to detect Chrome GPU process spawning child processes (cmd.exe, powershell.exe, etc.). This is a near-zero false-positive indicator — Chrome's GPU process has no legitimate business reason to spawn command interpreters. Configure these detections to trigger P1 incident response workflows.
  • 5
    Audit Electron and embedded Chromium applications for vulnerable versions — Enterprise applications built on Electron (VS Code, Slack, Teams, many internal tools) embed a specific Chromium version. These applications are not updated by Chrome auto-update and may contain the vulnerable Dawn WebGPU engine even after Chrome itself is patched. Inventory all Electron-based applications and verify they use Chromium 146.0.7680.177 or later, or are from Electron v33+.
  • 6
    Implement DNS/web proxy blocking for known exploit delivery infrastructure — Integrate CYBERDUDEBIVASH SENTINEL APEX threat intelligence IOC feeds to block DNS resolution and HTTP/S access to domains associated with CVE-2026-5281 exploit delivery chains. Web proxy/CASB inspection of JavaScript files larger than 100KB containing WebGPU API patterns provides an additional detection layer for novel exploit variants not yet captured by YARA signatures.
📈

Business Impact Assessment

Attack Vector
ZERO-CLICK*
*Near-zero: victim only needs to visit a webpage. No download, no approval, no login. Fully passive exploitation.
Affected User Base
BILLIONS
Chrome and Chromium-based browsers hold ~70% of global browser market share. All unpatched installs exposed.
Credential Risk
TOTAL
Post-exploitation browser process access exposes all saved passwords, active session cookies, and banking tokens.
Enterprise Risk
CRITICAL
Corporate SSO tokens, VPN certificates, and cloud service sessions accessible post-compromise. Lateral movement enabler.

Threat Actor Targeting Patterns

Browser-based zero-days are premier tools for nation-state threat actors and financially motivated cybercriminal groups because they require only network access to a victim — no spearphishing attachment, no USB drop, no physical access. Drive-by compromise infrastructure using CVE-2026-5281 has been observed in campaigns attributed to APT groups targeting technology sector employees (targeting developer workstations to gain access to source code repositories and cloud infrastructure credentials) and in financial sector targeting for banking session token theft.

The clustering of four Dawn UAF vulnerabilities in a single release cycle strongly suggests coordinated fuzzing or security research activity targeting the WebGPU subsystem — either by Google's Project Zero, independent security researchers, or adversarial threat actors reverse-engineering the Dawn codebase. Organizations should assume that additional variant exploits targeting Dawn memory management are being developed and that a patched Chrome binary remains the only reliable protection.

CYBERDUDEBIVASH SENTINEL APEX Enterprise Intelligence

Browser zero-days like CVE-2026-5281 are exploited within hours of disclosure. Get pre-disclosure browser vulnerability intelligence, real-time exploit delivery IOC feeds, and automated browser fleet compliance monitoring through CYBERDUDEBIVASH SENTINEL APEX.

Enterprise Subscription API Access Products View Pricing

bivash@cyberdudebivash.com  |  intel.cyberdudebivash.com  |  tools.cyberdudebivash.com

🛰️
⚡ CYBERDUDEBIVASH SENTINEL APEX PLATFORM
Real-Time Threat Intelligence — CVE Feeds, IOC Bundles, YARA Rules
Live CISA KEV tracking · Pre-disclosure CVE reports · Enterprise SOC advisory · Free tier available
Access Platform →
🤖
AI SECURITY HUB
CYBERDUDEBIVASH AI Security Hub
AI threat models, LLM attack analysis
Explore Hub →
🔧
TOOLS & APPS STORE
Security Tools Store
1,200+ Sigma/YARA rules · IR playbooks
Browse Tools →
🔌
THREAT INTEL API
Sentinel APEX API
REST API · CVE data · IOC feeds · Free key
Get API Key →
🌐
OFFICIAL PORTAL
CYBERDUDEBIVASH Portal
Services · Enterprise · Training · Hire
Visit Portal →