Google has released an emergency security update for its Chrome desktop browser to address 21 vulnerabilities, including a confirmed zero-day flaw that is already being actively exploited by threat actors in real-world attack campaigns. The update, which brings Chrome to version 146.0.7680.177 for Linux and 146.0.7680.177/178 for Windows and macOS, represents one of the most significant Chrome security releases of 2026 and demands immediate action from all users, enterprise administrators, and security teams globally.
The actively exploited vulnerability at the centre of this emergency update is CVE-2026-5281, a high-severity use-after-free bug discovered in Dawn — Chrome's open-source, cross-platform GPU abstraction layer that implements the WebGPU standard. Use-after-free vulnerabilities occur when a program continues to reference a memory location after that memory has already been freed and potentially reallocated for a different purpose. Attackers who successfully exploit such flaws can execute arbitrary code, trigger application crashes, or in more serious cases, escape the browser sandbox entirely and gain access to the underlying operating system.
According to the NIST National Vulnerability Database, CVE-2026-5281 allows a remote attacker who has already compromised the renderer process to execute arbitrary code via a crafted HTML page. In practical terms, this means a victim can be fully compromised simply by visiting a malicious or attacker-controlled webpage — no additional user interaction is required beyond loading the page. Google has officially acknowledged the threat, confirming that it is aware an exploit for CVE-2026-5281 exists in the wild. The flaw was originally reported by an anonymous researcher on March 10, 2026. As is standard practice, Google has withheld detailed technical information about the vulnerability and the specific attack campaigns exploiting it until the majority of users have received the patch, to prevent additional threat actors from developing their own exploits.
Underscoring the severity and confirmed active exploitation of this flaw, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026. Federal Civilian Executive Branch agencies have been given a mandatory patch deadline of April 15, 2026. While this binding directive applies specifically to U.S. federal agencies, cybersecurity professionals universally treat CISA KEV listings as a strong signal that all organisations — public and private — should treat the affected software as an immediate patching priority.
Beyond the zero-day, this Chrome update delivers an unusually large batch of 21 total security fixes, with 19 of those rated High severity. The breadth and volume of vulnerabilities addressed in a single release highlights significant and ongoing memory safety challenges within Chrome's complex rendering pipeline. The most notable additional vulnerabilities patched include a heap buffer overflow in the GPU component, use-after-free bugs in CSS, Web MIDI, WebCodecs, WebGL, Dawn, PDF, WebView, Navigation, and Compositing, an object corruption flaw in the V8 JavaScript engine, integer overflows in Codecs and ANGLE, out-of-bounds reads in WebCodecs, and insufficient policy enforcement in WebUSB.
Three of the high-severity patches were identified and reported directly by Google's internal security teams rather than through external disclosure, suggesting that some of these flaws were proactively discovered through internal threat hunting and automated vulnerability detection using tools including AddressSanitizer and MemorySanitizer. The sheer concentration of use-after-free bugs spanning so many distinct Chrome subsystems in a single release is particularly noteworthy for security teams conducting browser risk assessments.
This is not an isolated event. CVE-2026-5281 is the fourth Chrome zero-day to be actively weaponised in 2026 alone. Earlier in the year, Google patched two high-severity zero-days tracked as CVE-2026-3909 and CVE-2026-3910, and in February addressed a separately exploited use-after-free bug in Chrome's CSS component tracked as CVE-2026-2441. The pattern of repeated, actively exploited Chrome zero-days within such a compressed timeframe signals sustained and deliberate attacker interest in browser-based exploitation as an initial access vector — a trend that aligns with the broader shift toward client-side attacks targeting end-user devices rather than server infrastructure.
All Chrome users running any version prior to 146.0.7680.177 on Linux or 146.0.7680.178 on Windows and macOS are currently exposed to active exploitation risk. Users of other Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi are similarly advised to apply updates from their respective vendors as soon as patches become available, as these browsers share the same underlying engine and are likely affected by the same underlying flaws.
To update Chrome immediately, navigate to the three-dot menu in the top right corner, select Help, then About Google Chrome. The browser will automatically check for and apply the latest update, after which a browser restart will complete the patching process. Enterprise administrators managing Chrome deployments across organisational endpoints should push the update through their endpoint management platforms without delay and verify patch deployment across all managed devices as a priority.
Given confirmed active exploitation, a CISA KEV listing, and the fourth zero-day of 2026 in the same browser, this update must be treated as a critical priority — not a routine maintenance task.