Zero-Day Security Alert — April 1, 2026: Google Chrome Dawn WebGPU Use-After-Free Actively Exploited

Daily Security Briefing

April 1, 2026

CVE-2026-5281 | CVSS 8.8 | HIGH Severity | Actively Exploited in the Wild

Affected Product

Google Chrome (Dawn / WebGPU component) — versions prior to 135.0.7049.95 (Windows/Mac) and 135.0.7049.52 (Linux)

Description

A use-after-free vulnerability in Dawn, Google Chrome's WebGPU implementation, allows remote attackers to achieve code execution via a crafted HTML page. Dawn handles GPU-accelerated graphics operations in Chrome; the flaw enables an attacker to corrupt memory after an object is freed, potentially gaining control of the rendering process. Google has confirmed that an exploit for this vulnerability exists in the wild. This is the fourth actively weaponized Chrome zero-day patched in 2026.

Attack Vector

Network-based. An attacker must lure a victim to a malicious or compromised web page containing crafted WebGPU content. No authentication or special privileges are required. User interaction is limited to visiting the page. Attack complexity is low.

Remediation

Update Google Chrome to version 135.0.7049.95 or later (Windows/Mac) or 135.0.7049.52 or later (Linux). Chrome's built-in updater will apply the patch automatically, but organizations using managed Chrome deployments should push the update immediately via their endpoint management tools. Microsoft Edge and other Chromium-based browsers should also be updated once corresponding patches are available.

CISA Remediation Due Date: April 15, 2026

This report is generated automatically from NVD and CISA KEV data.