CVE-2026-5281: Google Chrome Dawn WebGPU Exploitation — Detection and Remediation

Google released an out-of-band security update on Thursday addressing a critical zero-day vulnerability, designated CVE-2026-5281, within its Chrome browser. This flaw, classified as a high-severity Use-After-Free (UAF) bug, resides in the Dawn component—Chrome's open-source, cross-platform implementation of the WebGPU standard.

The significance of this update cannot be overstated: Google has confirmed that this vulnerability is being actively exploited in the wild (ITW). For defenders, this signals a critical window of exposure where threat actors are deploying exploit code before organizations have fully patched. The WebGPU API, designed for high-performance 3D graphics and computation, presents a broad attack surface due to its complexity and direct access to system hardware resources. Successful exploitation of this UAF bug can allow an attacker to bypass the browser sandbox and execute arbitrary code on the victim's machine.

Technical Analysis

• CVE Identifier: CVE-2026-5281
• Vulnerability Type: Use-After-Free (CWE-416)
• Affected Component: Dawn (WebGPU implementation)
• Affected Platform: Google Chrome (Desktop versions: Windows, Mac, Linux)
• CVSS Score: N/A (Pending official rating, but rated High by vendor)
• Exploitation Status: Confirmed Active Exploitation In-The-Wild

Attack Mechanics

The vulnerability stems from a memory management error in the Dawn component. Dawn acts as a translation layer between web applications and the underlying native GPU APIs (such as Vulkan, DirectX 12, or Metal).

In a Use-After-Free scenario, the software attempts to access memory after it has been freed (deallocated). In the context of Dawn, an attacker can craft malicious WebGPU JavaScript payload to manipulate the allocation and deallocation of GPU command buffers or shared memory objects. By carefully timing these operations, they can corrupt the memory heap.

Attack Chain:

1. Initial Access: User visits a malicious or compromised website hosting the exploit WebGPU payload.
2. Trigger: The JavaScript payload executes, triggering the UAF bug in the Dawn process.
3. Memory Corruption: The attacker writes controlled data to the freed memory location.
4. Sandbox Escape/Code Execution: The corrupted memory pointer is dereferenced, leading to arbitrary code execution within the context of the browser renderer.
5. Post-Exploitation: The attacker may spawn a shell or perform further actions to escape the browser sandbox and gain system-level persistence.

Detection & Response

Detecting browser exploits often relies on identifying the "breaking glass" event—when the browser process behaves abnormally post-exploitation. Since the exploit occurs within the rendering engine (often sandboxed), detecting the specific UAF trigger via standard logs is difficult. However, we can hunt for the successful execution of unauthorized child processes spawned by the Chrome browser, which is a common technique used by attackers to establish a foothold after escaping the sandbox.

Sigma Rules

The following Sigma rule targets suspicious process creation events initiated by the Chrome browser.

---
title: Chrome Browser Spawning suspicious Shell (CVE-2026-5281)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects Google Chrome spawning a Windows Command Shell or PowerShell, potentially indicating successful exploitation of a browser vulnerability like CVE-2026-5281.
references:
  - https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
  - cve-2026-5281
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\chrome.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter_legitimate:
    # Filter out common false positives like users opening downloaded scripts
    CommandLine|contains:
      - 'OneDrive'
      - 'Office' 
      - 'Adobe'
  condition: selection and not filter_legitimate
falsepositives:
  - Users manually launching scripts downloaded via Chrome
  - Legitimate software updates initiated via browser
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for instances where the Chrome parent process spawns command-line interpreters.

DeviceProcessEvents
| where InitiatingProcessFileName == "chrome.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| where InitiatingProcessCommandLine !contains "--type=" // Filter out utility Chrome processes
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the vulnerable Chrome version by inspecting the file version properties on disk.

-- Hunt for Chrome versions potentially vulnerable to CVE-2026-5281
-- Note: Replace 'target_version' with the specific fixed version string when available
SELECT FullPath, Mtime, Size, 
       parse_string(data=Version, type='VersionInfo').FileVersion AS FileVersion,
       parse_string(data=Version, type='VersionInfo').CompanyName AS Company
FROM glob(globs='C:/Program Files/Google/Chrome/Application/chrome.exe')
WHERE parse_string(data=Version, type='VersionInfo').FileVersion < "INSERT_FIXED_VERSION_HERE"
   OR FullPath =~ 'Program Files.*chrome.exe'

Remediation Script (PowerShell)

Use this PowerShell script to query the registry for the installed Google Chrome version on Windows endpoints and compare it against a secure baseline.

<#
.SYNOPSIS
    Check Google Chrome Version for CVE-2026-5281 Vulnerability
.DESCRIPTION
    Checks the CurrentVersion registry key for Google Chrome and compares it 
    against the fixed version (Placeholder used - Update script with actual patch version).
#>

$RegPath = "HKLM:\Software\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}"
$RegPathWow6432 = "HKLM:\Software\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}"
$FixedVersion = "0.0.0.0" # REPLACE THIS with the actual patched version number from the advisory
$Vulnerable = $false

$CurrentVersion = $null

if (Test-Path $RegPath) {
    $CurrentVersion = (Get-ItemProperty -Path $RegPath -Name "pv" -ErrorAction SilentlyContinue).pv
} elseif (Test-Path $RegPathWow6432) {
    $CurrentVersion = (Get-ItemProperty -Path $RegPathWow6432 -Name "pv" -ErrorAction SilentlyContinue).pv
}

if ($CurrentVersion) {
    Write-Host "Installed Chrome Version: $CurrentVersion"
    
    if ([System.Version]$CurrentVersion -lt [System.Version]$FixedVersion) {
        Write-Host "[ALERT] System is vulnerable to CVE-2026-5281." -ForegroundColor Red
        $Vulnerable = $true
    } else {
        Write-Host "[INFO] System is patched." -ForegroundColor Green
    }
} else {
    Write-Host "[WARN] Google Chrome not found in registry registry paths."
}

Remediation

Immediate action is required due to active exploitation.

1. Apply Updates: Google has released updates to the Stable Channel. Users are strongly encouraged to update to the latest version immediately.
   • Windows/Mac/Linux: Check Settings > About Chrome to trigger the update. Verify you are on the latest stable release.
2. Verify Version: Ensure the browser version is equal to or greater than the patched version released on Thursday, April 2026. (Consult the official Google advisory for the exact build number).
3. Browser Restart: Ensure the browser is completely restarted after updating to ensure the new binary is loaded.
4. User Awareness: Advise users against clicking on suspicious links or visiting untrusted websites, as the primary vector is web-based drive-by downloads.

Official Advisory:

• Google Chrome Releases Blog

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub