Security agencies urged Chrome users to update immediately after Google patched CVE-2026-5281, a zero-day vulnerability that was reportedly exploited in the wild. The flaw affected Chrome versions before 146.0.7680.177/178 on Windows and macOS and before 146.0.7680.177 on Linux.
The Cyber Security Agency of Singapore described the issue as a use-after-free vulnerability in Chrome's Dawn WebGPU implementation. Successful exploitation could allow a remote attacker who had already compromised the renderer process to execute arbitrary code through a crafted HTML page. In practice, that means a malicious or compromised website could become part of an attack chain.
Google's March 31 stable-channel update included 21 security fixes and delivered the patched Chrome 146 builds for desktop platforms. Because Google limits vulnerability details while users are still updating, public information about the exact exploitation path was restricted at the time of the advisory.
The case highlights why zero-day browser flaws are serious. A browser is constantly exposed to untrusted content from the open web. When a vulnerability is already being exploited before a fix is available, speed matters: every day of delay gives attackers more opportunity to target unpatched systems.
Users should ensure Chrome is updated, enable automatic updates, and restart the browser after installation. Organizations should also check Chromium-based browsers such as Microsoft Edge, Brave, Opera and Vivaldi, since related fixes may be required there as well.
CVE-2026-5281 is a reminder that browser security is not just a technical issue for developers. It is a routine maintenance task for anyone who uses the web for email, payments, business tools or personal accounts.