Google Patches Fourth Chrome Zero-Day of 2026 in Emergency Update
Take action: Once more, an urgent patch for Chrome - Google is patching an actively exploited flaw in Chrome. DONT DELAY! Update all your Chrome and Chromium browsers (Edge, Opera, Brave, Vivaldi...). Updating the browser is easy, all your tabs reopen after the patch.
Learn More
Google has released an emergency security update for its Chrome browser to patch 21 vulnerabilities, including a high-severity zero-day flaw that is being actively exploited in the wild.
Vulnerabilities summary:
- Atively exploited zero-day tracked as CVE-2026-5281 (CVSS score not yet assigned, rated High severity by Google), a use-after-free (UAF) bug in Dawn, the open-source, cross-platform implementation of the WebGPU standard used in Chromium and Chromium-based browsers. A remote attacker who had already compromised the renderer process could exploit this flaw to execute arbitrary code via a specially crafted HTML page. Google has confirmed awareness of in-the-wild exploitation but has not disclosed specific details about the attacks or the threat actors behind them, stating that access to bug details will remain restricted until a majority of users have received the fix.
In addition to the zero-day, the update resolves 20 other security flaws, all rated High or Medium severity. The most notable vulnerabilities include:
- CVE-2026-5273 (High) - Use after free in CSS
- CVE-2026-5272 (High) - Heap buffer overflow in GPU
- CVE-2026-5274 (High) - Integer overflow in Codecs
- CVE-2026-5275 (High) - Heap buffer overflow in ANGLE
- CVE-2026-5276 (High) - Insufficient policy enforcement in WebUSB
- CVE-2026-5277 (High) - Integer overflow in ANGLE
- CVE-2026-5278 (High) - Use after free in Web MIDI
- CVE-2026-5279 (High) - Object corruption in V8
- CVE-2026-5280 (High) - Use after free in WebCodecs
- CVE-2026-5282 (High) - Out of bounds read in WebCodecs
- CVE-2026-5283 (High) - Inappropriate implementation in ANGLE
- CVE-2026-5284 (High) - Use after free in Dawn
- CVE-2026-5285 (High) - Use after free in WebGL
- CVE-2026-5286 (High) - Use after free in Dawn
- CVE-2026-5287 (High) - Use after free in PDF
- CVE-2026-5288 (High) - Use after free in WebView
- CVE-2026-5289 (High) - Use after free in Navigation
- CVE-2026-5290 (High) - Use after free in Compositing
- CVE-2026-5291 (Medium) - Inappropriate implementation in WebGL
- CVE-2026-5292 (Medium) - Out of bounds read in WebCodecs
The flaws are patched in versions 146.0.7680.177/178 for Windows and macOS, and 146.0.7680.177 for Linux. Google has pushed the fix to the Stable Desktop channel, and updated versions are now rolling out to all platforms.
Google typically restricts disclosure of exploitation details to prevent additional threat actors from developing their own exploits before the majority of users have updated.
Organizations and individual users are strongly urged to update Google Chrome to version 146.0.7680.177/178 immediately and latest versions of Opera, Edge, Vivaldi, Brave.
