INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Google fixes fourth Chrome zero-day exploited in attacks
| 2026-04-01 20:41 CRITICAL HIGHExecutive Summary AI-generated
Google has fixed a new Chrome zero-day, tracked as CVE-2026-5281. The flaw is a use-after-free bug in Dawn, the WebGPU component used for graphics processing. Google released updates to fix this vulnerability and urges users to update their browser to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux). The company is aware that an exploit exists in the wild, but has acknowledged its existence since February 2026.
Technical Mitigations AI-generated
* Use secure coding practices, such as avoiding use-after-free bugs and ensuring memory safety through proper allocation and deallocation of resources.
* Regularly update operating systems, browsers, and software to ensure that known vulnerabilities are patched before they can be exploited.
* Implement robust security measures, including firewalls, intrusion detection systems, and access controls, to prevent unauthorized access to sensitive data or systems.
* Use secure protocols for communication, such as HTTPS, and implement encryption when transmitting sensitive information.
* Conduct regular penetration testing and vulnerability assessments to identify potential weaknesses in systems and applications.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-3910CVE-2026-3910
CVE-2026-5281CVE-2026-5281
CVE-2026-3909CVE-2026-3909
CVE-2026-2441CVE-2026-2441
Target & Sectors
Global Scope
Incident Timeline
01, 2026
Google released security updates for its Chrome web browser to address 21 vulnerabilities.
Click on any entity below to view its context and source!
organisation
Vulnerability / Browser Security
Ravie Lakshmanan
Apr 01, 2026
Vulnerability / Browser Security
Google on Thursday
released
security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
general_metric
21 vulnerabilities
Ravie Lakshmanan
Apr 01, 2026
Vulnerability / Browser Security
Google on Thursday
released
security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild.
February 2026
Google fixes fourth actively exploited Chrome zero-day CVE-2026-5281 in February 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-5281
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
vulnerability
CVE-2026-3909
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
vulnerability
CVE-2026-3910
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
vulnerability
CVE-2026-2441
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
organisation
CSS
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
organisation
Skia 2D
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
general_metric
8.8 CVE-2026 CVSS score
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
March 2026
Threat actors used a fourth actively exploited Chrome zero-day in the V8 JavaScript/WebAssembly engine implementation to target systems.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-5281
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
vulnerability
CVE-2026-3909
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
vulnerability
CVE-2026-3910
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
vulnerability
CVE-2026-2441
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
organisation
CSS
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
organisation
Skia 2D
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
general_metric
8.8 CVE-2026 CVSS score
CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:
February 2026 –
CVE-2026-2441
– Use after free in CSS
March 2026 –
CVE-2026-3909
(CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and
CVE-2026-3910
(CVSS score: 8.8) –
organisation
SecurityAffairs
Flaw in the implementation of the V8 JavaScript/WebAssembly engine
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Google)
Apr 01, 2026
Google released a patch for its Chrome browser to fix the fourth actively exploited zero-day vulnerability of 2026.
2026/04/01
Google fixed a new Chrome zero-day, tracked as CVE-2026-5281.
Click on any entity below to view its context and source!
organisation
BleepingComputer
While Google says that this out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates today.
organisation
CVE-2026
"Google is aware that an exploit for CVE-2026-5281 exists in the wild," the company acknowledged.
"Google is aware that an exploit for CVE-2026-5281 exists in the wild," Google said in a
security advisory
issued on Tuesday.
“Google is aware that an exploit for CVE-2026-5281 exists in the wild.”
reads the advisory
.
infrastructure
146.0.7680
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
organisation
Google Chrome
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation
HTML
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation
NIST
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation
National Vulnerability Database
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation
NVD
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
infrastructure
Windows
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
infrastructure
Macos
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
infrastructure
Linux
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
organisation
Stable Desktop
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
organisation
Windows/macOS
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
organisation
Skia 2D
Google patched
two other Chrome zero-day
bugs exploited in attacks earlier this month: the first is an
out-of-bounds write
weakness in the Skia 2D graphics library (CVE-2026-3909), and the second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
organisation
WebAssembly
Google patched
two other Chrome zero-day
bugs exploited in attacks earlier this month: the first is an
out-of-bounds write
weakness in the Skia 2D graphics library (CVE-2026-3909), and the second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
organisation
CSS
In February, the tech giant also addressed an actively exploited use-after-free bug in Chrome's CSS component (
CVE-2026-2441
).
The first (CVE-2026-2441) was an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), which Google
addressed in mid-February
.
organisation
Google
As is customary for these alerts, Google did not provide any further details on how the shortcoming is being exploited and who may be behind the effort.
Google fixes fourth Chrome zero-day exploited in attacks in 2026.
Google fixes fourth actively exploited Chrome zero-day of 2026.
organisation
Chromium
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in
Dawn
, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project.
organisation
Microsoft Edge, Brave,
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
organisation
WebGPU
As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in
Dawn
, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project.
The flaw is a use-after-free bug in Dawn, the WebGPU component used for graphics processing.
organisation
Threat Analysis Group
In 2025, Google fixed a total of
eight zero-days exploited in the wild
, many of which were discovered and reported by Google's Threat Analysis Group (TAG), which is known for tracking and identifying zero-day exploits used in spyware attacks.
Tactical Metrics
Metrics
infrastructure
146.0.7680
Software Version
Click for context!
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD).
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
Metrics
infrastructure
Windows
Affected Product
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
Metrics
infrastructure
Macos
Affected Product
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
Metrics
infrastructure
Linux
Affected Product
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux.
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).
Intelligence Sources
The Hacker News
2026-04-01
BleepingComputer
2026-04-01
Google fixes fourth Chrome zero-day exploited in attacks in 2026
BleepingComputer
Security Affairs
2026-04-01
Google fixes fourth actively exploited Chrome zero-day of 2026
Security Affairs
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:59
Comprehensive Tactical Telemetry
Highly Correlated Entities
19x
organisation
Identified Entity
Google Chrome
entity
7x
timeline
Temporal Reference
Apr 01, 2026
date
4x
vulnerability
Exploited CVE
CVE-2026-5281
cve
3x
infrastructure
Affected Product
Windows
software
Contextual Telemetry
Context Block
5 METRICS
infrastructure
Software Version
146.0.7680
version
general metric
Vulnerabilities
21
vulnerabilities
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
general metric
Cve-2026
5,281
cve-2026
general metric
Cve-2026 Cvss Score
9
cve-2026 cvss score
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.