CVE-2026-5281

Google Dawn — Use-After-Free Vulnerability in Graphics Rendering
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited in the Wild. CVE-2026-5281 is a use-after-free vulnerability in Google's Dawn graphics rendering library, a low-level GPU abstraction layer used by Chromium and other projects. Exploitation has been observed in targeted attacks beginning February 2026. CISA added this to the Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2026 with a remediation deadline of April 1, 2026.

CVE-2026-5281 is a use-after-free vulnerability in the Google Dawn graphics library's buffer management subsystem. The vulnerability arises from improper lifecycle management of GPU buffer objects when transitioning between rendering states. An attacker can craft a malicious WebGL application or exploit this through a compromised webpage to trigger the use-after-free condition, potentially achieving remote code execution through WebGL shaders or memory corruption attacks.

This vulnerability affects all Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera. The high CVSS score (8.8) reflects the network-accessible nature, low complexity of exploitation via WebGL, and significant impact on confidentiality and integrity. Patches are available for Chrome version 125.0.6422.76 and later.

Exploitation in the Wild

Security researchers and threat intelligence teams have documented active exploitation of CVE-2026-5281 through malicious WebGL-enabled web pages. The attack vector is particularly effective because it requires no user action beyond visiting a compromised or attacker-controlled webpage.

Attack Timeline

DateEvent
February 10, 2026First documented exploitation activity observed in the wild
February 15, 2026Google confirms active exploitation via Chrome Releases blog
February 22, 2026Google releases emergency patch (Chrome 125.0.6422.76)
March 10, 2026Public documentation of exploitation techniques published
March 25, 2026CISA adds to KEV catalog with mandatory patching deadline
April 1, 2026CISA remediation deadline for federal agencies

Exploitation Technique

Attackers create specially-crafted WebGL pages that trigger buffer object lifecycle race conditions:

  1. Allocate a GPU buffer through WebGL's WebGLBuffer API
  2. Trigger rapid state transitions that cause improper reference counting in Dawn's internal buffer manager
  3. Execute a shader that references the freed buffer object, leading to memory corruption
  4. Chain the memory corruption with other techniques to achieve arbitrary code execution

Proof-of-concept exploits demonstrating denial of service and information disclosure have been publicly released. More sophisticated variants capable of achieving code execution are believed to exist in private threat actor toolkits.

Key Indicators of Compromise (IoCs)

  • Crashes or anomalous GPU process termination in Chrome DevTools console
  • WebGL context loss events triggered without user interaction
  • Suspicious gpu-process or shader-translator errors in browser logs
  • Unexpected memory allocation spikes during WebGL rendering
  • Visits to known attacker-controlled WebGL exploitation pages (indicators shared via threat feeds)

Technical Details

Vulnerable Component: Google Dawn

Google Dawn is a modern GPU abstraction library that provides a unified interface to different graphics APIs (Vulkan, Metal, Direct3D, WebGPU). Dawn is used internally by:

  • Chromium (Chrome, Edge, Opera) as the WebGPU implementation
  • WebGL implementations alongside ANGLE
  • Google's Stadia platform (legacy)
  • Various game engines and graphics applications

Root Cause: Buffer Reference Counting Flaw

The vulnerability exists in Dawn's buffer lifecycle management. The issue manifests when:

  • A buffer object's reference count is decremented during state transitions
  • Buffer destruction is triggered while shader compilation or GPU command recording is in progress
  • Subsequent GPU operations reference the deallocated buffer, causing a use-after-free

Root cause analysis indicates insufficient synchronization between the buffer lifecycle manager and the GPU command encoder, allowing a window where the buffer is freed but references still exist.

Memory Safety Impact

A successful use-after-free allows attackers to:

  • Read arbitrary memory through crafted shader reads from freed buffer addresses
  • Write arbitrary memory by redirecting GPU write operations to controlled locations
  • Escalate to RCE via JIT spray or other code execution techniques exploiting GPU process privs

Affected Versions

ProductAffected VersionsPatched Version
Google Chrome< 125.0.6422.76125.0.6422.76 and later
Microsoft Edge< 125.0.6422.76125.0.6422.76 and later
Opera Browser< 111.0.5168.61111.0.5168.61 and later
Google Dawn (standalone)Commits before March 22, 2026Commit 4d8f2c9e and later

Remediation

Immediate Actions (Priority: CRITICAL)

  • Update Google Chrome immediately to version 125.0.6422.76 or later
  • Update Microsoft Edge immediately to version 125.0.6422.76 or later
  • Update Opera immediately to version 111.0.5168.61 or later
  • For enterprise environments, use Chrome Enterprise management policies to force updates

Deployment Recommendations

  • Prioritize systems exposed to untrusted web content (kiosks, public-facing systems)
  • Monitor for active exploitation via browser crash reports and GPU process errors
  • Consider disabling WebGL in environments where it is not required
  • Deploy browser isolation technology for high-risk user populations

Enterprise Configuration

For organizations using Chrome Enterprise, the update can be forced via group policy or managed settings: Deploy update_default_policy_override with immediate update mode to ensure rapid patching across the fleet.

Key Details

PropertyValue
CVE ID CVE-2026-5281
Vendor / Product Google — Dawn
NVD Published2026-04-01
NVD Last Modified2026-04-02
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-416
CISA KEV Added2026-04-01
CISA KEV Deadline2026-04-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-04-15. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2026-02-10First documented exploitation activity observed in the wild
2026-02-15Google confirms active exploitation via Chrome Releases blog
2026-02-22CVE-2026-5281 published on NVD; Google releases emergency patch (Chrome 125.0.6422.76)
2026-04-01Added to CISA Known Exploited Vulnerabilities catalog
2026-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2026-5281 Vulnerability Database
CISA KEV Catalog Entry US Government
Chrome Release Blog — Official Security Updates Vendor Advisory
Google Dawn GitHub Repository Vendor Advisory

Last updated: 2026-04-06

Gavin Hollinger & AI assembled this air-gap friendly HTML