DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-5281: CVE-2026-5281: High-Severity Use-After-Free in Dawn WebGPU Implementation

#security #cve #cybersecurity

CVE-2026-5281: High-Severity Use-After-Free in Dawn WebGPU Implementation

Vulnerability ID: CVE-2026-5281
CVSS Score: 8.8
Published: 2026-04-01

CVE-2026-5281 is a critical Use-After-Free (UAF) vulnerability located in the Dawn WebGPU backend of Chromium-based browsers. It allows remote attackers to execute arbitrary code via a crafted HTML page leveraging a race condition in the internal GPU task queue. The flaw is actively exploited in the wild.

TL;DR

A Use-After-Free in Google Chrome's Dawn WebGPU component allows remote attackers to execute arbitrary code. The vulnerability involves a race condition in command buffer queue management and requires immediate patching to version 146.0.7680.178.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CVE ID: CVE-2026-5281
  • CVSSv3.1 Score: 8.8 (High)
  • CWE Identifier: CWE-416
  • Attack Vector: Network
  • Impact: Remote Code Execution (Renderer Process)
  • Exploit Status: Actively Exploited (In the Wild)
  • CISA KEV Status: Listed (Added 2026-04-01)

Affected Systems

  • Google Chrome
  • Microsoft Edge
  • Opera
  • Chromium Embedded Framework (CEF)
  • Google Chrome: < 146.0.7680.178 (Fixed in: 146.0.7680.178)
  • Microsoft Edge: < 146.0.7680.178 (Fixed in: 146.0.7680.178)
  • Opera: < 146.0.7680.178 (Fixed in: 146.0.7680.178)

Exploit Details

  • GitHub: Researcher toolkit containing a vulnerability scanner and exploit generator for CVE-2026-5281.

Mitigation Strategies

  • Deploy vendor security updates immediately across all fleet devices.
  • Disable WebGPU via Group Policy or configuration management if patching is delayed.
  • Monitor endpoint logs for unusual GPU process crashes and WebGPU API exceptions.

Remediation Steps:

  1. Identify all hosts running Chromium-based browsers via endpoint management software.
  2. Push update commands to force browser updates to version 146.0.7680.178 or higher.
  3. Run the provided scanner script to verify successful patch deployment.
  4. Restart browser processes on user machines to ensure the new binary is active.

References

Read the full report for CVE-2026-5281 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)