The vulnerability, tracked as CVE-2026-5281, threatens the world’s 3.5 billion Chrome users, according to a report in Forbes.

Google has already begun distributing a new security update to fix this high-severity flaw, along with 20 other vulnerabilities.

The rollout of the update could take several days — or even weeks — before reaching all Chrome users.

Meanwhile, users who want immediate protection can manually update their browser to apply the patch without waiting.

About CVE-2026-5281 zero-day

Zero-day vulnerabilities in Chrome are becoming increasingly common.

CVE-2026-5281 is the fourth zero-day patched in the first quarter of 2026 alone, following CVE-2026-2441 in February and CVE-2026-3909 and CVE-2026-3910 in March.

By comparison, Google patched only eight zero-days in all of 2025.

Technical details remain limited. Google’s Chrome team, represented by Srinivas Sista, explained that bug details are often withheld until most users have applied the fix.

What is known is that CVE-2026-5281 is a use-after-free memory vulnerability affecting Chrome’s cross-platform Dawn WebGPU component.

Exploitation of this flaw could result in browser crashes, data corruption, and arbitrary code execution via specially crafted web pages.

CISA adds Chrome zero-day to known exploited vulnerabilities list

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-5281 to its Known Exploited Vulnerabilities catalogue.

The agency issued a binding operational directive requiring certain federal agencies to apply the update promptly.

CISA also strongly advised organisations outside the federal government to address the vulnerability immediately to reduce exposure to potential cyberattacks. Although non-federal organisations are not legally required to act, cybersecurity experts advise evaluating the vulnerability and installing the patch promptly.