Google Patches Fourth Chrome Zero-Day of 2026 as CISA Orders Federal Agencies to Update Within Two Weeks

Google pushed an emergency Chrome update on April 1, 2026, patching 21 security vulnerabilities including a high-severity zero-day that was already being exploited in targeted attacks. The flaw, tracked as CVE-2026-5281, is a use-after-free bug in Dawn, the open-source cross-platform implementation of the WebGPU standard that Chrome uses for graphics processing.

Use-after-free vulnerabilities occur when software continues to reference a memory location after it has been freed, creating an opening for attackers to corrupt data, crash the application, or execute arbitrary code. According to the NIST National Vulnerability Database description, a remote attacker who had already compromised the renderer process could exploit CVE-2026-5281 to execute arbitrary code via a crafted HTML page.

“Google is aware that an exploit for CVE-2026-5281 exists in the wild,” the company stated in its security advisory, while declining to share specifics about the attacks, noting that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

The vulnerability was discovered by a pseudonymous security researcher identified only by the hash 86ac1f1587b71893ed2ad792cd7dde32. The same researcher had previously reported two other vulnerabilities patched in Chrome’s March 23 update — CVE-2026-4675 and CVE-2026-4676 — as well as an additional use-after-free in Dawn, tracked as CVE-2026-5284, which was also addressed in this release.

The U.S. Cybersecurity and Infrastructure Security Agency responded quickly, adding CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on the same day. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to apply the fix by April 15, 2026.

Users should update Chrome to version 146.0.7680.177 on Linux or 146.0.7680.177/178 on Windows and macOS. The vulnerability also affects other Chromium-based browsers; Vivaldi has already shipped its own patch, while Microsoft Edge patches are reportedly in development.

CVE-2026-5281 is the fourth actively exploited Chrome zero-day Google has patched this year. The previous three were CVE-2026-2441, an iterator invalidation bug in CSSFontFeatureValuesMap discovered in February; CVE-2026-3909, an out-of-bounds write in the Skia 2D graphics library with a CVSS score of 8.8; and CVE-2026-3910, an inappropriate implementation flaw in the V8 JavaScript engine, also rated 8.8. Both CVE-2026-3909 and CVE-2026-3910 were patched earlier in March.

The accelerating pace of Chrome zero-days — four in the first three months of 2026, matching 2025’s trajectory — underscores the persistent focus of threat actors on browser attack surfaces, particularly in graphics rendering and JavaScript execution components.