New Chrome Zero-Day Vulnerability Actively Exploited in Attacks — Patch Now

Google has released an emergency security update for its Chrome browser, patching a zero-day vulnerability that is already being actively exploited in the wild.

The Stable channel has been updated to version 146.0.7680.177/178 for Windows and Mac, and 146.0.7680.177 for Linux, with the rollout expected to reach all users over the coming days and weeks.

The actively exploited vulnerability, tracked as CVE-2026-5281, is a use-after-free vulnerability in Dawn Chrome’s cross-platform GPU abstraction layer used to implement WebGPU.

Use-after-free bugs occur when a program continues to reference freed memory, potentially allowing attackers to execute arbitrary code or escape the browser sandbox.

Google has officially confirmed active exploitation, stating it “is aware that an exploit for CVE-2026-5281 exists in the wild.” The flaw was discovered and reported by an anonymous researcher on March 10, 2026.

Vulnerability details and technical specifics remain restricted until a majority of users have received the patch, a standard practice Google follows to limit exploit replication.

Patch for 21 Security Vulnerabilities

Beyond the zero-day, this update delivers a sweeping set of 21 security fixes, an unusually large batch that signals significant internal security activity. Of those, 19 are rated High severity and span a wide range of Chrome subsystems.

Notable vulnerabilities patched in this release include:

• CVE-2026-5273 — Use after free in CSS (reported March 18)
• CVE-2026-5272 — Heap buffer overflow in GPU (reported March 11)
• CVE-2026-5274 — Integer overflow in Codecs (reported March 1)
• CVE-2026-5275 — Heap buffer overflow in ANGLE (reported March 4)
• CVE-2026-5276 — Insufficient policy enforcement in WebUSB (reported March 4)
• CVE-2026-5278 — Use after free in Web MIDI (reported March 6)
• CVE-2026-5279 — Object corruption in V8 (reported March 8)
• CVE-2026-5280 — Use after free in WebCodecs (reported March 11)
• CVE-2026-5284 — Use after free in Dawn (reported March 12)
• CVE-2026-5285 — Use after free in WebGL (reported March 13)
• CVE-2026-5287 — Use after free in PDF (reported March 21)
• CVE-2026-5288 — Use after free in WebView (reported by Google, March 23)
• CVE-2026-5289 — Use after free in Navigation (reported by Google, March 25)
• CVE-2026-5290 — Use after free in Compositing (reported by Google, March 25)

The sheer concentration of use-after-free bugs spanning Dawn, WebGL, WebCodecs, Web MIDI, WebView, Navigation, and Compositing highlights ongoing memory safety challenges in browser rendering pipelines.

Three of the high-severity patches were reported directly by Google’s internal security teams, suggesting some were identified through proactive threat hunting rather than external disclosure.

All Chrome users running versions prior to 146.0.7680.177 on Linux or 146.0.7680.178 on Windows and Mac are potentially exposed. Given the confirmed in-the-wild exploitation of CVE-2026-5281, enterprise users and security teams should treat this update as a critical priority patch.

To update Chrome immediately, navigate to Menu (⋮) → Help → About Google Chrome. The browser will automatically check for and apply the latest update, then prompt a restart to complete the process. Organizations managing Chrome deployments via policy should push the update through their endpoint management platforms without delay.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New Chrome Zero-Day Vulnerability Actively Exploited in Attacks — Patch Now appeared first on Cyber Security News.