New Chrome Zero-Day Vulnerability Under Active Exploitation – Patch Now

Google has pushed an urgent security update for its Chrome desktop browser to fix 21 vulnerabilities, including a critical zero-day flaw that is already being actively exploited in the wild. All Chrome users are strongly urged to update immediately.

Targeted Version

The patched version is 146.0.7680.177/.178 for Windows and Mac, and 146.0.7680.177 for Linux. Users can update by navigating to Chrome Menu → Help → About Google Chrome, where the browser will automatically download and apply the fix upon restart.

The most dangerous flaw patched in this release is CVE-2026-5281, a high-severity “use after free” memory corruption bug found in Chrome’s Dawn graphics component.

Google has officially confirmed that an active exploit exists in the wild, meaning threat actors are already using it in targeted attack campaigns.

Use-after-free bugs occur when a program continues to use a memory pointer after that memory has been freed.

Attackers can exploit this to execute arbitrary malicious code or trigger system crashes, often simply by luring a victim to visit a compromised or malicious website.

20 Additional High-Severity Fixes

Alongside the zero-day, Google patched 20 other vulnerabilities reported by external security researchers and internal teams.

The majority are high-severity memory safety issues, including:

• Heap buffer overflows in GPU and ANGLE
• Use-after-free bugs in CSS, Web MIDI, WebCodecs, WebGL, Dawn, PDF, WebView, Navigation, and Compositing
• Integer overflows in Codecs and ANGLE
• Object corruption in the V8 JavaScript engine
• Out-of-bounds reads in WebCodecs
• Insufficient policy enforcement in WebUSB

These fixes were aided by Google’s internal testing tools AddressSanitizer and MemorySanitizer, which detect memory corruption vulnerabilities before they reach stable releases.

CVE ID	Severity	Component	Issue Type
CVE-2026-5272	High	GPU	Heap buffer overflow
CVE-2026-5273	High	CSS	Use after free
CVE-2026-5274	High	Codecs	Integer overflow
CVE-2026-5275	High	ANGLE	Heap buffer overflow
CVE-2026-5276	High	WebUSB	Insufficient policy enforcement
CVE-2026-5277	High	ANGLE	Integer overflow
CVE-2026-5278	High	Web MIDI	Use after free
CVE-2026-5279	High	V8	Object corruption
CVE-2026-5280	High	WebCodecs	Use after free
CVE-2026-5281	High	Dawn	Use after free (Zero-Day)
CVE-2026-5282	High	WebCodecs	Out of bounds read
CVE-2026-5283	High	ANGLE	Inappropriate implementation
CVE-2026-5284	High	Dawn	Use after free
CVE-2026-5285	High	WebGL	Use after free
CVE-2026-5286	High	Dawn	Use after free
CVE-2026-5287	High	PDF	Use after free
CVE-2026-5288	High	WebView	Use after free
CVE-2026-5289	High	Navigation	Use after free
CVE-2026-5290	High	Compositing	Use after free
CVE-2026-5291	Medium	WebGL	Inappropriate implementation
CVE-2026-5292	Medium	WebCodecs	Out of bounds read

Security teams and enterprise administrators should prioritize deploying this patch across all Chrome-based environments immediately to block remote code execution attempts.

The browser will automatically apply the update upon a simple restart, effectively closing the exploitation window for attackers.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post New Chrome Zero-Day Vulnerability Under Active Exploitation – Patch Now appeared first on Cyber Security News.