Google patches 21 Chrome vulnerabilities, including an actively exploited zero-day flaw that could enable code execution and full device compromise.

The post Patch Now: Chrome Flaw Under Active Attack, Google Confirms appeared first on TechRepublic.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Google Dawn to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Google Dawn, tracked as CVE-2026-5281 (CVSS score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog.

The flaw is a use after free in the Dawn component in Google Chrome prior to 146.0.7680.178. Google Dawn is the WebGPU component used for graphics processing. A remote attacker who had compromised the renderer process could exploit the flaw to execute arbitrary code via a crafted HTML page.

According to CISA, this vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

This week, Google released Chrome updates fixing 21 vulnerabilities, including a new actively exploited zero-day tracked as CVE-2026-5281.

Due to ongoing exploitation, the company urges users to update their browsers immediately to reduce the risk of attacks.

“Google is aware that an exploit for CVE-2026-5281 exists in the wild.” reads the advisory.

A use-after-free (UAF) bug is a type of memory error where a program continues to use a piece of memory after it has already been freed (released).

Attackers can exploit use-after-free bugs to crash applications, execute malicious code, or take control of a system. Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).

As usual, Google did not reveal technical details of the attacks exploiting this flaw or the type of attackers involved, to give users time to update and prevent others from exploiting it.

CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 15, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Google fixed a new Chrome zero-day, tracked as CVE-2026-5281, in the WebGPU Dawn component that is already exploited in the wild.

Google released Chrome updates fixing 21 vulnerabilities, including a new actively exploited zero-day tracked as CVE-2026-5281. The flaw is a use-after-free bug in Dawn, the WebGPU component used for graphics processing.

Due to ongoing exploitation, the company urges users to update their browsers immediately to reduce the risk of attacks.

“Google is aware that an exploit for CVE-2026-5281 exists in the wild.” reads the advisory.

A use-after-free (UAF) bug is a type of memory error where a program continues to use a piece of memory after it has already been freed (released).

Attackers can exploit use-after-free bugs to crash applications, execute malicious code, or take control of a system. Google fixed the Chrome zero-day and urges users to update to version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux).

As usual, Google did not reveal technical details of the attacks exploiting this flaw or the type of attackers involved, to give users time to update and prevent others from exploiting it.

CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026, below the other actively exploited flaws addressed by Google this year:

• February 2026 – CVE-2026-2441 – Use after free in CSS
• March 2026 – CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and CVE-2026-3910 (CVSS score: 8.8) – Flaw in the implementation of the V8 JavaScript/WebAssembly engine

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

Google has released a Stable Channel Update for Chrome, addressing 21 security vulnerabilities, including a high-profile code smuggling vulnerability that is actively being exploited in the wild. The update rolled out on Wednesday night. Among the 21 security vulnerabilities fixed in this update, one in particular has drawn attention: a code smuggling vulnerability that allows attackers to inject malicious code into Chrome users’ systems. Google confirmed that this vulnerability is currently targeted by threat actors, making the update especially urgent for both individual users and organizations. The company noted that out of the 21 vulnerabilities, 19 are classified as high-risk, while two are considered medium severity. The awareness of active exploitation in the wild highlights the importance of installing the latest Stable Channel Update as soon as possible.

Details of Chrome Stable Channel Update 

According to Google’s official release, the new Stable Channel Update includes: 

• Version 146.0.7680.177/178 for Windows and Mac
• Version 146.0.7680.177 for Linux

The rollout is expected to occur over the coming days and weeks, depending on user configurations and regional distributions. Google has provided a comprehensive changelog listing all security vulnerabilities patched in this update, though access to certain bug details may remain restricted until a majority of users have installed the fix. This precaution is designed to prevent exploitation of vulnerabilities in third-party libraries that are also used by other projects. 

Breakdown of High-Risk Security Vulnerabilities 

The update addresses multiple high-risk vulnerabilities reported by security researchers between March 1 and March 25, 2026. Some of the most notable include: 

• CVE-2026-5273: Use-after-free in CSS, reported March 18  
• CVE-2026-5272: Heap buffer overflow in GPU, reported March 11  
• CVE-2026-5274: Integer overflow in Codecs, reported March 1  
• CVE-2026-5281: Use-after-free in Dawn, reported March 10 (actively exploited in the wild)  
• CVE-2026-5287: Use-after-free in PDF, reported March 21  

Other vulnerabilities addressed involve ANGLE, WebUSB, WebCodecs, WebGL, WebView, V8, and multiple components of Chrome’s rendering engine. 

Security Fixes, Exploit Awareness, and Research Contributions 

Google acknowledged the ongoing threat posed by the code smuggling vulnerability, noting that CVE-2026-5281 is actively being exploited. The company also thanked security researchers who collaborated to identify and report these issues, citing tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL as key instruments in detecting and mitigating these security vulnerabilities before they reached the stable channel. By publicly disclosing these vulnerabilities, Google aims to provide transparency while allowing users and organizations to patch their systems promptly. 

Why Users Should Update Immediately 

This Stable Channel Update highlights the ongoing risks posed by security vulnerabilities in widely used software like Chrome. The inclusion of actively exploited issues, such as the code smuggling vulnerability, highlights the potential consequences of delayed updates, which can include unauthorized code execution, data theft, or broader system compromise.  Users are strongly encouraged to install the latest Chrome update across all devices to reduce exposure to these threats. Regularly updating browsers remains one of the most effective defenses against cyberattacks targeting widely deployed software.