Changeflow GovPing Data Privacy & Cybersecurity Chrome Dawn Use-After-Free Remote Code Executio...
Urgent Notice Added Final

Chrome Dawn Use-After-Free Remote Code Execution Vulnerability

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published April 2nd, 2026
Detected April 2nd, 2026
Email

Summary

CISA added CVE-2026-5281 to the Known Exploited Vulnerabilities catalog. This is a use-after-free vulnerability in Google Chrome's Dawn component (versions prior to 146.0.7680.178) that allows remote code execution via a crafted HTML page. The vulnerability has an active exploitation status per SSVC analysis and a CVSS score of 8.8 (High).

View original document View source feed page

What changed

CISA has cataloged CVE-2026-5281, a use-after-free vulnerability in Dawn within Google Chrome. The flaw allows a remote attacker who has compromised the renderer process to execute arbitrary code through a crafted HTML page. Affected versions are prior to 146.0.7680.178. The CVSS 3.1 score is 8.8 (High) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. SSVC analysis confirms active exploitation that is not automatable with total technical impact.

Organizations running Google Chrome should verify their current version and update to 146.0.7680.178 or later immediately. Federal civilian executive branch agencies have 21 days to remediate per BOD 22-01 requirements. All other entities are strongly encouraged to apply the patch as soon as possible given confirmed active exploitation in the wild.

What to do next

  1. Verify Google Chrome version across all endpoints using 146.0.7680.178 or earlier
  2. Update Google Chrome to version 146.0.7680.178 or later to remediate the vulnerability
  3. Review systems for signs of exploitation given active KEV status

Source document (simplified)

Required CVE Record Information

CNA: Chrome

Description

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Product Status

Learn more Versions 1 Total

Default Status: unknown

affected

  • affected from 146.0.7680.178 before 146.0.7680.178

References 2 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-04-02

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-04-01 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-5281 (2026-04-01)

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.8 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |

Named provisions

Known Exploited Vulnerabilities Catalog Chrome Dawn Vulnerability

Related changes

Favicon for www.cisa.gov Citrix NetScaler CVE-2026-3055 Critical Memory Overread Vulnerability
Urgent Mar 31, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Trivy Supply Chain Attack - Credential Theft
Urgent Mar 27, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Langflow Code Injection Vulnerability CVE-2026-33017
Urgent Mar 26, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for changeflow.com Cryptographic ownership vouchers for endpoint device onboarding
Routine Apr 02, 2026 ChangeBridge: Patent Apps - Networking (H04L) Telecom & Technology
Favicon for oig.justice.gov Civil Rights Division Security Controls Audit and CRT-JCON System
Routine Apr 02, 2026 DOJ Inspector General Reports Consumer Protection
Favicon for oig.justice.gov Civil Rights Division Information Security Management Program Audit (FISMA)
Routine Apr 02, 2026 DOJ Inspector General Reports Consumer Protection

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
April 2nd, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2026-5281

Who this affects

Applies to
Technology companies Government agencies Public companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability Management Software Patching Browser Security
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Product Safety Data Privacy

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 358 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 274 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.