Chrome 123.0.6312.86/.87
CISA KEV Catalogued
3rd WebGPU CVE in 12 Months
Active Exploitation Confirmed
If you use Google Chrome — and statistically, you almost certainly do — you need to open your browser right now and check your version number. CVE-2026-5281 is a use-after-free vulnerability in Chrome’s Dawn WebGPU component that is being actively exploited in the wild. Google confirmed the flaw, patched it in Chrome 123.0.6312.86 and 123.0.6312.87, and the United States Cybersecurity and Infrastructure Security Agency (CISA) has since added it to the Known Exploited Vulnerabilities (KEV) catalogue — the agency’s definitive list of vulnerabilities confirmed to be weaponised against real targets.
This is not a theoretical risk. Exploitation has been confirmed. The vulnerability allows a renderer process to execute arbitrary code, potentially enabling an attacker to escape Chrome’s sandbox, escalate privileges, and compromise the underlying system. For organisations with unpatched Chrome deployments, the threat window is open right now. For individual users, the fix is a simple browser update — but awareness is the first barrier.
When CISA adds a CVE to its Known Exploited Vulnerabilities catalogue, it isn’t just a warning — it’s a binding directive for all US federal civilian agencies to patch within a defined window. For private-sector organisations, it’s the clearest possible signal that exploitation is real, targeted, and ongoing. CVE-2026-5281’s KEV listing means patching is no longer advisory. It’s urgent.
CVE-2026-5281: What the Vulnerability Is
CVE-2026-5281 is classified as a use-after-free (UAF) vulnerability — one of the most dangerous classes of memory-safety bugs. In a use-after-free flaw, a program frees a block of memory but continues to use a pointer that references it. If an attacker can control what gets placed in that freed memory region before the program references it again, they can redirect code execution to attacker-controlled logic.
The affected component is Dawn, the open-source WebGPU implementation used by Chromium-based browsers. Dawn serves as the abstraction layer between the browser’s JavaScript environment and the system’s GPU hardware. It’s responsible for translating WebGPU API calls into native GPU commands for DirectX (Windows), Metal (macOS), and Vulkan (Linux/Android). The complexity of this translation layer creates a large and difficult-to-audit attack surface — and CVE-2026-5281 is the consequence.
Google’s security team has intentionally withheld full technical details while the patch propagates across the user base, which is standard practice. What is confirmed: the vulnerability exists in how Dawn handles certain GPU resource lifecycle events, where a resource object can be dereferenced after its underlying memory has been freed during WebGPU command processing. The result is arbitrary code execution within the renderer process.
How the Exploit Works in Practice
Practical exploitation of CVE-2026-5281 follows a pattern that security researchers have documented across Chrome UAF bugs in recent years. An attacker creates a malicious webpage or advertisement containing crafted WebGPU API calls that deliberately trigger the use-after-free condition. The victim doesn’t need to download anything or click any suspicious link. Simply loading the page in an unpatched browser can be sufficient.
Once the renderer process executes attacker-controlled code, the exploit typically chains to a sandbox escape — a secondary vulnerability that elevates from the sandboxed renderer to the broader system. Google has not disclosed whether a full chain (UAF + sandbox escape) is being used in observed attacks, but CISA’s KEV listing implies that whatever is being deployed is effective against real targets.
The exploit has been characterised in threat intelligence reporting as being used in drive-by campaigns — broadly distributed attacks where the goal is mass infection rather than highly targeted access. This increases the urgency for all Chrome users, not just those in sensitive industries. Forbes has covered the broader pattern of Chrome zero-day exploitation in depth, and the cadence of attacks on WebGPU specifically has accelerated in 2026.
Unlike phishing attacks that require victims to download and execute a file, drive-by exploitation via browser vulnerabilities requires only that the user navigate to (or be redirected to) a page containing the exploit code. Malvertising campaigns can silently deliver exploits through advertising networks on legitimate websites, making the attack surface effectively the entire web.
Who Is Affected and What to Do
The vulnerability affects all Chrome users on desktop platforms prior to version 123.0.6312.86. This includes Windows, macOS, and Linux. Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — all share the Dawn component and are likely affected as well, though patch timelines vary by vendor.
The fix is straightforward for individual users: open Chrome → click the three-dot menu → Help → About Google Chrome. The browser will check for updates and install the fix automatically. You must then restart the browser for the patch to take effect. Chrome shows the update button as a coloured icon in the toolbar when an update is pending — if you see a red or orange icon, update immediately.
For enterprise and IT teams, this requires urgent attention to your patch deployment pipeline. CISA’s Known Exploited Vulnerabilities catalogue mandates that US federal civilian agencies apply the fix within a defined remediation window. Enterprise IT should treat this with equivalent urgency regardless of sector. Group Policy and Chrome Enterprise management tools can be used to force-update Chrome across managed endpoints. This should happen within 24 hours, not the next patch cycle.
WebGPU Is a Growing Attack Surface
CVE-2026-5281 is not an isolated incident. It is the third WebGPU vulnerability in Chrome in the past 12 months, and the second to be confirmed as actively exploited. This frequency indicates a structural problem: WebGPU is a complex, high-privilege API that was designed for performance, not for security boundary enforcement. Its architecture creates a rich attack surface that threat actors are methodically exploring.
WebGPU was standardised by the W3C and shipped in Chrome in May 2023 as a replacement for the older WebGL API. It provides web applications with near-native access to GPU compute capabilities — enabling high-performance 3D graphics, neural network inference, physics simulations, and data-parallel computation directly in the browser. This power comes with a price: the translation layers between the web sandbox and native GPU drivers are extraordinarily complex, involving thousands of lines of C++ code managing GPU memory, command buffers, and resource lifetimes.
Security researchers have argued that WebGPU may need sandboxing improvements analogous to what Google did for audio and PDF processing. The browser GPU process currently runs with more privileges than the renderer process but without the full isolation of the browser process. A successful renderer-to-GPU exploit chain could represent a significant privilege escalation path that bypasses existing Chrome sandbox mitigations.
For organisations with strict security requirements, it is worth evaluating whether WebGPU needs to be enabled at the policy level for all employees. Chrome Enterprise allows WebGPU to be disabled via the WebGpuEnabled policy setting — an option worth considering for high-risk environments until the Dawn component’s security posture matures.
Frequently Asked Questions
Networkcraft covers every critical CVE, ransomware campaign, and cybersecurity development as it happens.