Google Warns of New Chrome Zero-Day Under Active Exploitation — Users Urged to Update Immediately
Google has released an urgent security update for Chrome desktop (version 146.0.7680.177/.178 for Windows/Mac, 146.0.7680.177 for Linux) to patch 21 vulnerabilities, including a critical zero-day flaw actively exploited in the wild.
Active Zero-Day Threat
The most severe vulnerability is CVE-2026-5281, a high-severity “use after free” memory flaw in the Dawn component. Google confirmed active exploitation in targeted attacks.
This bug allows attackers to execute malicious code or crash systems when victims visit compromised sites.
Google also fixed 20 other high-severity memory safety issues (heap buffer overflows, use-after-free) in components like WebCodecs, ANGLE, and V8, enabled by AddressSanitizer/MemorySanitizer.
For tracking, see the full CVE list below.
| CVE ID | Severity | Description | Reporter |
|---|---|---|---|
| CVE-2026-5272 | High | Heap buffer overflow in GPU | inspector-ambitious |
| CVE-2026-5273 | High | Use after free in CSS | Anonymous |
| CVE-2026-5274 | High | Integer overflow in Codecs | heapracer |
| CVE-2026-5275 | High | Heap buffer overflow in ANGLE | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5276 | High | Insufficient policy enforcement in WebUSB | Ariel Simon |
| CVE-2026-5277 | High | Integer overflow in ANGLE | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5278 | High | Use after free in Web MIDI | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5279 | High | Object corruption in V8 | Hyeonjun Ahn |
| CVE-2026-5280 | High | Use after free in WebCodecs | heapracer |
| CVE-2026-5281 | High | Use after free in Dawn | 86ac1f1587b71893ed2ad792cd7dde32 |
| CVE-2026-5282 | High | Out of bounds read in WebCodecs | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5283 | High | Inappropriate implementation in ANGLE | sweetchip |
| CVE-2026-5284 | High | Use after free in Dawn | 86ac1f1587b71893ed2ad792cd7dde32 |
| CVE-2026-5285 | High | Use after free in WebGL | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5286 | High | Use after free in Dawn | sweetchip |
| CVE-2026-5287 | High | Use after free in PDF | Syn4pse |
| CVE-2026-5288 | High | Use after free in WebView | |
| CVE-2026-5289 | High | Use after free in Navigation | |
| CVE-2026-5290 | High | Use after free in Compositing | |
| CVE-2026-5291 | Medium | Inappropriate implementation in WebGL | heapracer |
| CVE-2026-5292 | Medium | Out of bounds read in WebCodecs |
Chrome users should update immediately. Organizations must deploy this patch to protect against potential remote code execution attempts.
The fix takes effect on restart.