Google has patched another zero-day vulnerability in Chrome, its fourth this year. In patching the vulnerability, tracked as CVE-2026-5281, the company acknowledged that an exploit for it already exists in the wild.
According to the report in NIST’s National Vulnerability Database, the vulnerability in Dawn, the implementation of WebGPU used by Chrome, allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. It advised users to update to Chrome 146.0.7680.178 or newer.
The three previous vulnerabilities patched in Chrome this year were in different areas of the code.
The first, tracked as CVE-2026-2441 and patched in February, was a fault in the way memory was managed in the processing of cascading style sheets (CSS).
The other two were patched in March. One was a bug in the Skia graphics library (CVE-2026-3909) that allowed write access to memory addresses outside the boundaries of a predefined buffer. The second one (CVE-2026-3910) was found in the V8 JavaScript engine, and was described by Google as an “inappropriate implementation.”
It will concern Google that, barely a quarter way through the year, it has already had to deliver fixes for four exploits in the wild. Last year, it introduced Code Mender, a security tool to help fix security vulnerabilities in open source projects, and will be looking to introduce more AI help to fix these issues.
No Responses