Security & Infrastructure Tools
Google fixes fourth Chrome zero‑day exploited in attacks in 2026
Google Chrome released emergency updates to fix the fourth zero‑day vulnerability (CVE‑2026‑5281) exploited in attacks this year, addressing a use‑after‑free flaw in Dawn’s WebGPU implementation. The update is available for Stable Desktop users on Windows, macOS, and Linux, with automatic installation options. This marks the fourth actively exploited Chrome zero‑day patched since January 2026.
Google fixes fourth Chrome zero-day exploited in attacks in 2026
In a continued effort to curb growing exploitation of Chrome vulnerabilities, Google has issued emergency updates to address a fourth actively exploited zero-day in 2026. The company confirmed that an exploit for CVE-2026-5281 has been observed in the wild, prompting an out-of-band security advisory and rapid distribution of fixes across platforms.
The flaw originates from a use-after-free weakness in Dawn, the cross-platform WebGPU implementation used by the Chromium project. Exploitation of this vulnerability could trigger browser crashes, data corruption, rendering issues, or other abnormal behavior within the Chromium-based browser. Google indicated that there is evidence of real-world exploitation, though specific incidents were not disclosed to the public at this time. As with previous Chrome zero-days, bug details and any exploit links may be restricted until a majority of users have updated to a patched version.
The out-of-band update has been rolled into Chrome 146.0.7680.178 for the Stable Desktop channel, with platform-specific rollouts for Windows, macOS, and Linux. In particular, Windows users receive 146.0.7680.178, macOS users see 146.0.7680.178 (with 146.0.7680.177/178 in different macOS builds), and Linux users are at 146.0.7680.177. Google noted that this fast-tracked fix can take days or weeks to reach every user, but the update was immediately available when checked.
This is the fourth actively exploited Chrome zero-day patched so far in 2026. The first such vulnerability, CVE-2026-2441, was an iterator invalidation bug in CSSFontFeatureValuesMap, addressed in mid-February. Earlier this month, Google also patched two other Chrome zero-days exploited in attacks: CVE-2026-3909, an out-of-bounds write weakness in the Skia 2D graphics library, and CVE-2026-3910, an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.
Looking back at the previous year, Google filed eight zero-day fixes in 2025 that were exploited in the wild, many of which were identified by Google’s Threat Analysis Group (TAG), known for tracking zero-days used in spyware and other high-risk campaigns. The rapid pace of these disclosures underscores the ongoing pressure on browser developers to stay ahead of attackers and the importance of timely patching for users across all supported platforms. As the Chrome team continues to release updates and refine its security processes, users are encouraged to apply patches promptly to minimize exposure to these actively exploited flaws.