Overview
- Google pushed an out-of-band Chrome 146 update on Wednesday, patching 21 flaws and confirming in-the-wild exploits for CVE-2026-5281.
- The fixes are rolling out as versions 146.0.7680.177/178 on Windows and macOS and 146.0.7680.177 on Linux, and users need to restart to complete the update.
- CVE-2026-5281 is a use-after-free bug in Dawn, Chrome’s WebGPU component, that can enable code execution from a crafted web page after a renderer compromise.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and set an April 15 remediation deadline for federal agencies, urging fast patching across Chromium-based products.
- Other browsers built on Chromium are issuing fixes, with Vivaldi already shipping and Microsoft preparing Edge, and Google is withholding attack details until most users receive the patch.