Urgent: Chrome Emergency Patch Deploys Against Active Zero-Day Exploit
Google has issued a critical Chrome emergency patch for its Chrome browser, addressing a severe zero-day vulnerability (CVE-2026-5281) that is currently being actively exploited in the wild. This urgent update brings the Stable channel to version 146.0.7680.177/178 for Windows and Mac, and 146.0.7680.177 for Linux. Users are strongly advised to update their browsers immediately as the rollout is expected to reach all users over the coming days and weeks.
Chrome Emergency Patch: Zero-Day Under Active Attack (CVE-2026-5281)
The actively exploited vulnerability, tracked as CVE-2026-5281, is identified as a use-after-free flaw within Dawn, Chrome’s cross-platform GPU abstraction layer used for WebGPU implementation. Use-after-free bugs are particularly dangerous as they occur when a program attempts to access memory that has already been freed, creating a pathway for attackers to potentially execute arbitrary code or escape the browser’s sandboxed environment.
Google has officially confirmed the in-the-wild exploitation, stating, “is aware that an exploit for CVE-2026-5281 exists in the wild.” The flaw was first discovered and reported by an anonymous researcher on March 10, 2026. In line with its standard security practices, Google is restricting public disclosure of vulnerability details and technical specifics until a majority of users have received this crucial Chrome emergency patch, thereby limiting exploit replication attempts.
Sweeping Security Update: 21 Vulnerabilities Addressed
Beyond the critical zero-day, this comprehensive Chrome emergency patch delivers a sweeping set of 21 additional security fixes. This unusually large batch signals significant internal security activity at Google. Of these, an alarming 19 are rated as High severity, spanning a wide array of Chrome subsystems and highlighting ongoing efforts to bolster browser security.
Key Vulnerabilities Patched in This Release:
- CVE-2026-5273 — Use after free in CSS (reported March 18)
- CVE-2026-5272 — Heap buffer overflow in GPU (reported March 11)
- CVE-2026-5274 — Integer overflow in Codecs (reported March 1)
- CVE-2026-5275 — Heap buffer overflow in ANGLE (reported March 4)
- CVE-2026-5276 — Insufficient policy enforcement in WebUSB (reported March 4)
- CVE-2026-5278 — Use after free in Web MIDI (reported March 6)
- CVE-2026-5279 — Object corruption in V8 (reported March 8)
- CVE-2026-5280 — Use after free in WebCodecs (reported March 11)
- CVE-2026-5284 — Use after free in Dawn (reported March 12)
- CVE-2026-5285 — Use after free in WebGL (reported March 13)
- CVE-2026-5287 — Use after free in PDF (reported March 21)
- CVE-2026-5288 — Use after free in WebView (reported by Google, March 23)
- CVE-2026-5289 — Use after free in Navigation (reported by Google, March 25)
- CVE-2026-5290 — Use after free in Compositing (reported by Google, March 25)
The sheer concentration of use-after-free bugs across various components like Dawn, WebGL, WebCodecs, Web MIDI, WebView, Navigation, and Compositing underscores persistent memory safety challenges within browser rendering pipelines. Notably, three of these high-severity patches were reported directly by Google’s internal security teams, indicating proactive threat hunting and continuous internal security audits.
Immediate Action Required: Update Your Chrome Browser Now
All Chrome users running versions prior to 146.0.7680.177 on Linux or 146.0.7680.178 on Windows and Mac are potentially exposed to these vulnerabilities. Given the confirmed active exploitation of CVE-2026-5281, enterprise users and security teams should treat this Chrome emergency patch as a paramount priority.
To update Chrome immediately, navigate to Menu (⋮) → Help → About Google Chrome. Your browser will automatically check for and apply the latest update, then prompt a restart to complete the process. Organizations managing Chrome deployments via policy should push this critical update through their endpoint management platforms without any delay to ensure their systems are protected.
