Chrome Zero-Day CVE-2026-5281: Active Exploitation, CISA Alert, and the Week’s Full Security Briefing
A Chrome zero-day in WebGPU/Dawn is being actively exploited and CISA has added it to the Known Exploited Vulnerabilities catalogue. The LiteLLM/Mercor supply chain attack by Lapsus$ has been confirmed with more details. Hasbro’s SEC 8-K breach disclosure is now public, and NDAA 2026 cybersecurity compliance deadlines are approaching. Update Chrome. Now. The pattern is clear.
In This Article
01Chrome Zero-Day CVE-2026-5281: Use-After-Free in WebGPU/Dawn
02Lapsus$ LiteLLM/Mercor Attack: Full Picture Emerges
03Hasbro SEC 8-K Breach Disclosure
04NDAA 2026 Cybersecurity Compliance Deadlines Approaching
05April 2, 2026 — Active Security Threats Summary
06Frequently Asked Questions
Table of Contents
Chrome Zero-Day CVE-2026-5281: Use-After-Free in WebGPU/Dawn
Google disclosed and patched CVE-2026-5281, a use-after-free vulnerability in Chrome’s Dawn/WebGPU component, on April 2. CISA immediately added it to the Known Exploited Vulnerabilities (KEV) catalogue — the agency’s formal designation for vulnerabilities under active exploitation in the wild.
A use-after-free vulnerability occurs when a programme continues to use a memory pointer after the memory it references has been freed. In the browser context, this class of bug allows attackers to achieve arbitrary code execution within the browser’s renderer process — the first step toward a full browser escape.
WebGPU (the Dawn implementation in Chrome) was added to Chrome as an advanced graphics API for web applications — particularly for AI inference in-browser, 3D rendering, and high-performance compute. Its complexity makes it a recurring target for memory safety exploits. CVE-2026-5281 joins a long line of WebGPU/WebGL bugs that have required emergency patching.
Action required: Update Chrome immediately. Go to Chrome menu → Help → About Google Chrome. The patched version will auto-download. Federal agencies under CISA’s authority have a mandatory remediation deadline per the KEV catalogue. Google Chrome release notes for the CVE-2026-5281 patch.
WebGPU was shipped to enable richer web experiences — but its complexity creates proportionally more attack surface. As AI inference moves to the browser, WebGPU usage will explode, and so will the value of exploits targeting it. Security teams should treat browser-side AI inference as a priority hardening target, not just a convenience feature.
Lapsus$ LiteLLM/Mercor Attack: Full Picture Emerges
Additional details emerged April 2 about the Lapsus$ supply chain attack on LiteLLM and Mercor first reported April 1. Security researchers confirmed the attack vector: Lapsus$ obtained credentials via social engineering of a third-party contractor with privileged access to both platforms.
The exfiltrated data from Mercor — an AI hiring platform — includes video recordings of AI contractor interviews. These videos are sensitive not just for the candidates recorded, but for the client companies who used Mercor to evaluate AI talent: the videos reveal which companies were hiring for which AI capabilities, providing competitive intelligence to anyone who acquires the stolen data.
LiteLLM’s response: immediate credential rotation, access log audit, and a public incident report. For organisations using LiteLLM in production, verify your API keys have been rotated and check LiteLLM’s incident report for indicators of compromise. The Record’s full technical breakdown of the LiteLLM attack.
LiteLLM is open-source, widely trusted, and used across hundreds of enterprise AI deployments. A single credential compromise at a third-party contractor cascades into every downstream organisation. AI teams that adopted LiteLLM for convenience now face the same supply chain security obligations as any other production dependency. There are no free lunches in security.
Hasbro SEC 8-K Breach Disclosure
Hasbro — the toy and entertainment company — filed a Form 8-K with the SEC disclosing a material cybersecurity incident. Under SEC rules effective since December 2023, publicly traded companies must disclose material cybersecurity incidents within four business days. Hasbro’s 8-K indicates the company determined the breach met the SEC’s materiality threshold. The nature of the compromised data and the attack vector were not fully disclosed in the 8-K. Hasbro SEC 8-K filing on EDGAR.
NDAA 2026 Cybersecurity Compliance Deadlines Approaching
The National Defense Authorization Act 2026 (NDAA) includes cybersecurity provisions with compliance deadlines falling in Q2 2026. Key requirements affecting defence contractors and federal suppliers include: software bill of materials (SBOM) mandates, incident reporting timelines, and enhanced authentication requirements for systems handling controlled unclassified information (CUI). Organisations that have not yet begun compliance assessments are behind schedule. The combination of new CVEs like CVE-2026-5281 and upcoming NDAA deadlines makes this a critical period for security programme prioritisation.
NDAA compliance, SEC breach disclosure requirements, and CISA KEV mandates are creating simultaneous pressure on security teams. The organisations most at risk are mid-market companies caught between enterprise-grade requirements and startup-era security budgets. If you haven’t done a compliance gap assessment for NDAA 2026, Q2 is not the time to start — you’re already late.
April 2, 2026 — Active Security Threats Summary
| Threat | CVE / Category | Severity | Action |
|---|---|---|---|
| Chrome WebGPU UAF | CVE-2026-5281 | Critical / CISA KEV | Update Chrome now |
| LiteLLM Supply Chain | Supply chain / Lapsus$ | High | Rotate API keys |
| Hasbro Breach | SEC 8-K disclosed | Material (SEC) | Monitor disclosure |
| NDAA 2026 Compliance | Regulatory / Q2 deadline | Time-sensitive | Start gap assessment |
Frequently Asked Questions
Open Chrome → click the three-dot menu → Help → About Google Chrome. Chrome will check for updates automatically and display the current version. The patched version was included in the Chrome stable channel update released April 2, 2026. If Chrome shows it’s up to date, you are protected.
A use-after-free bug occurs when software continues to reference (use) a memory location after that memory has been freed for reuse. Attackers can exploit this to place malicious data in the freed memory, then trigger the programme to execute that data as code — leading to arbitrary code execution.
Immediately rotate all API keys used with LiteLLM. Review LiteLLM’s official incident report for indicators of compromise. Audit access logs from the period of the attack. If you handle sensitive data through LiteLLM-routed requests, notify your security team and assess whether a breach notification obligation has been triggered.
CISA’s KEV catalogue lists vulnerabilities that have been confirmed as actively exploited in real-world attacks. Federal agencies are mandated to patch KEV-listed vulnerabilities within specified deadlines. For private sector organisations, KEV listing is a strong indicator that a vulnerability should be prioritised above your normal patching schedule.
NDAA 2026 cybersecurity provisions affecting defence contractors include: software bill of materials (SBOM) requirements, enhanced incident reporting timelines, and stronger authentication mandates for systems handling controlled unclassified information (CUI). Compliance deadlines fall in Q2 2026. Consult your legal and compliance team for specific applicability to your organisation.
Breaking security news with clear analysis — no FUD, no filler.