Chrome Zero-Day Vulnerability CVE-2026-5281 Fix Guide 2026 Edition
docTechnical analysis of Chrome zero-day vulnerabilities CVE-2026-5281, CVE-2026-2441, CVE-2026-3909, and CVE-2026-3910 — affected 3.5 billion users in 2026. Get CVSS scores, fixed versions, attack chain breakdowns, and enterprise mitigation policies.
Chrome Zero-Day Vulnerabilities 2026: CVE-2026-5281, CVE-2026-2441, CVE-2026-3909 & CVE-2026-3910
In 2026 to date, Chrome has suffered four zero-day vulnerability attacks. CVE-2026-5281, CVE-2026-2441, CVE-2026-3909, CVE-2026-3910 — each has been actively exploited in the wild, affecting 3.5 billion users globally. This article provides precise version numbers, official fix links, attack chain breakdowns, and enterprise-level mitigation strategies for each vulnerability.
Timeline Overview
| CVE ID | Type | Component | CVSS | Fixed Version | Discovery Date |
|---|---|---|---|---|---|
| CVE-2026-2441 | Use-after-free | CSSFontFeatureValuesMap | Critical | 145.0.7632.75/76 | 2026-02-11 |
| CVE-2026-3909 | Out-of-bounds write | Skia 2D | 8.8 | 146.0.7680.80 | 2026-03-10 |
| CVE-2026-3910 | Inappropriate Implementation | V8 JS Engine | 8.8 | 146.0.7680.80 | 2026-03-10 |
| CVE-2026-5281 | Use-after-free | Dawn (WebGPU) | Critical | 146.0.7680.177/178 | 2026-03-10 |
CVE-2026-2441: CSS Font Iterator Invalidation
Vulnerability Type: Use-after-free (iterator invalidation)
Affected Component: CSSFontFeatureValuesMap
CVSS: Critical (CISA confirmed in-the-wild exploitation)
Official Advisory: chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html
CVE Details: nvd.nist.gov/vuln/detail/CVE-2026-2441
Chromium Issue: issues.chromium.org/issues/483569511
CISA KEV: catalog.cisa.gov/known-exploited-vulnerabilities
PoC Public: github.com/huseyinstif/CVE-2026-2441-PoC
Affected Versions
- Windows/Mac: < 145.0.7632.75/76
- Linux: < 144.0.7559.75
Fixed Versions
- Windows/Mac: 145.0.7632.75/76
- Linux: 144.0.7559.75
Attack Chain Analysis
1. Attacker hosts a malicious HTML page
2. Page invokes CSS font-feature-values syntax to trigger CSSFontFeatureValuesMap iteration
3. During iteration, DOM nodes are deleted, invalidating the iterator
4. The invalidated iterator still holds a reference to freed memory
5. Attacker refills the freed memory via JavaScript
6. Achieves arbitrary code execution → sandbox escape
MITRE ATT&CK:
- T1068: Privilege Escalation / Sandbox Escape
- T1059.007: JavaScript Execution
- T1203: Browser Exploitation
Detection Rules
Sysmon Rule (XML format):
<RuleGroup name="CVE-2026-2441 Detection" groupRelation="or">
<ProcessCreate onmatch="include">
<ParentImage condition="contains">chrome.exe</ParentImage>
<CommandLine condition="contains">--type=renderer</CommandLine>
</ProcessCreate>
</RuleGroup>
Suricata Rule:
alert http any any -> $HOME_NET any (
msg:"CVE-2026-2441 Chrome CSSFontFeatureValuesMap Exploit Attempt";
content:"font-feature-values";
http.uri;
pcre:"/font-feature-values\s*\{.*\}/P";
classtype:web-application-attack;
sid:9002441;
rev:1;
)
Zeek Script:
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) {
if (/\bfont-feature-values\b/ in unescaped_URI) {
NOTICE([$note=CVE_2026_2441_EXPLOIT,
$msg="Potential CSS FontFeatureValuesMap exploit URI",
$conn=c]);
}
}
CVE-2026-3909: Skia Out-of-Bounds Write
Vulnerability Type: Out-of-bounds write
Affected Component: Skia 2D Graphics Library
CVSS: 8.8 (Critical)
Official Advisory: chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
CVE Details: nvd.nist.gov/vuln/detail/CVE-2026-3909
Chromium Issue: issues.chromium.org/issues/491421267
CISA KEV: Listed
Affected Versions
- All Platforms: < 146.0.7680.80
Fixed Versions
- Windows/Mac/Linux: 146.0.7680.80
Attack Chain Analysis
1. Attacker delivers a crafted HTML Canvas page via phishing email or malicious website
2. Page uses WebGL/Canvas API to draw vector graphics with malformed paths
3. Integer overflow occurs when Skia graphics library parses path vertices
4. Overflow causes write to exceed heap buffer boundary
5. Attacker leverages heap overflow to overwrite adjacent memory structures
6. Hijacks control flow → remote code execution
MITRE ATT&CK:
- T1059.007: JavaScript Execution
- T1068: Privilege Escalation
- T1499.004: Endpoint Denial of Service (crash)
Detection Rules
Sysmon Rule:
<RuleGroup name="CVE-2026-3909 Detection">
<ProcessCreate onmatch="include">
<ParentImage condition="contains">chrome.exe</ParentImage>
<CommandLine condition="contains">--type=renderer</CommandLine>
<Image condition="contains">chrome.exe</Image>
</ProcessCreate>
</RuleGroup>
Suricata Rule:
alert http any any -> $HOME_NET any (
msg:"CVE-2026-3909 Chrome Skia Out-of-Bounds Write Attempt";
content:"<canvas";
http.body;
content:"drawImage";
http.body;
byte_test:2,>,0,4,little;
classtype:attempted-admin;
sid:9003909;
rev:1;
)
Zeek Script:
event http_entity_data(c: connection, fluid_type: string, is_orig: bool, data: string) {
if (is_orig && "canvas" in c?$http && "drawImage" in data) {
# Check for abnormal Canvas API call patterns
if (|data| > 10000) { # Abnormally large Canvas data
NOTICE([$note=CVE_2026_3909_EXPLOIT,
$msg="Large Canvas data with drawImage - possible Skia exploit",
$conn=c]);
}
}
}
CVE-2026-3910: V8 Inappropriate Implementation
Vulnerability Type: Inappropriate Implementation
Affected Component: V8 JavaScript/WebAssembly Engine
CVSS: 8.8 (Critical)
Official Advisory: chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
CVE Details: nvd.nist.gov/vuln/detail/CVE-2026-3910
Chromium Issue: issues.chromium.org/issues/491410818
CISA KEV: Listed
Affected Versions
- All Platforms: < 146.0.7680.80
Fixed Versions
- Windows/Mac/Linux: 146.0.7680.80
Attack Chain Analysis
1. Attacker hosts a page containing malformed WebAssembly
2. Page exploits V8 engine's incorrect handling of WASM types
3. Achieves arbitrary code execution within sandbox
4. Combines with other vulnerabilities or kernel privilege escalation for sandbox escape
MITRE ATT&CK:
- T1059.007: JavaScript Execution
- T1068: Privilege Escalation
- T1552.001: Credential Dumping (post sandbox escape)
Detection Rules
Sysmon Rule:
<RuleGroup name="CVE-2026-3910 Detection">
<ProcessCreate onmatch="include">
<ParentImage condition="contains">chrome.exe</ParentImage>
<CommandLine condition="contains">--type=renderer</CommandLine>
</ProcessCreate>
<SysmonEventID=1>
<Image condition="contains">chrome.exe</Image>
<CommandLine condition="contains">WebAssembly</CommandLine>
</SysmonEventID>
</RuleGroup>
Suricata Rule:
alert http any any -> $HOME_NET any (
msg:"CVE-2026-3910 Chrome V8 WASM Exploit Attempt";
content:"application/wasm";
http.content_type;
content:"getexports";
http.request_body;
pcre:"/\\x00\\x61\\x73\\x6d/P"; # WASM magic bytes
classtype:attempted-user;
sid:9003910;
rev:1;
)
Zeek Script:
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) {
if (c?$http && c$http$content_type == "application/wasm") {
NOTICE([$note=CVE_2026_3910_EXPLOIT,
$msg="WebAssembly content detected - review for CVE-2026-3910",
$conn=c,
$uid=c$uid]);
}
}
CVE-2026-5281: Dawn/WebGPU Use-after-Free (Latest)
Vulnerability Type: Use-after-free (dangling reference)
Affected Component: Dawn (WebGPU cross-platform GPU abstraction layer)
CVSS: Critical (Google confirmed in-the-wild exploitation)
Official Advisory: chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html
CVE Details: nvd.nist.gov/vuln/detail/CVE-2026-5281
Chromium Issue: issues.chromium.org/issues/491518608
CISA KEV: Listed
Discoverer: Anonymous researcher (reported 2026-03-10)
Affected Versions
- Windows/Mac: < 146.0.7680.177/178
- Linux: < 146.0.7680.177
Fixed Versions
- Windows: 146.0.7680.178
- Mac: 146.0.7680.177/178
- Linux: 146.0.7680.177
19 Other Vulnerabilities Fixed in This Update
This update patched a total of 21 security vulnerabilities:
| CVE | Type | Component |
|---|---|---|
| CVE-2026-5273 | Use-after-free | CSS |
| CVE-2026-5272 | Heap buffer overflow | GPU |
| CVE-2026-5274 | Integer overflow | Codecs |
| CVE-2026-5275 | Heap buffer overflow | ANGLE |
| CVE-2026-5276 | Insufficient policy enforcement | WebUSB |
| CVE-2026-5278 | Use-after-free | Web MIDI |
| CVE-2026-5279 | Object corruption | V8 |
| CVE-2026-5280 | Use-after-free | WebCodecs |
| CVE-2026-5284 | Use-after-free | Dawn |
| CVE-2026-5285 | Use-after-free | WebGL |
| CVE-2026-5287 | Use-after-free | |
| CVE-2026-5288 | Use-after-free | WebView |
| CVE-2026-5289 | Use-after-free | Navigation |
| CVE-2026-5290 | Use-after-free | Compositing |
Attack Chain Analysis
1. Attacker hosts a crafted webpage exploiting the WebGPU API
2. Page calls navigator.gpu.requestAdapter() via JavaScript
3. During GPU resource handling in the Dawn layer, an object is freed prematurely
4. JavaScript still holds a reference to the object and continues calling its methods
5. Attacker reallocates the same memory region within a time window
6. Overwrites old object structure with new object content
7. Achieves arbitrary code execution within sandbox
MITRE ATT&CK:
- T1059.007: JavaScript Execution
- T1068: Privilege Escalation
- T1499.004: Endpoint Denial of Service
Detection Rules
Sysmon Rule:
<RuleGroup name="CVE-2026-5281 Detection">
<ProcessCreate onmatch="include">
<ParentImage condition="contains">chrome.exe</ParentImage>
<CommandLine condition="contains">--enable-unsafe-webgpu</CommandLine>
</ProcessCreate>
<ProcessCreate onmatch="include">
<Image condition="contains">chrome.exe</Image>
<CommandLine condition="contains">requestAdapter</CommandLine>
</ProcessCreate>
</RuleGroup>
Suricata Rule:
alert http any any -> $HOME_NET any (
msg:"CVE-2026-5281 Chrome Dawn WebGPU Exploit Attempt";
content:"navigator.gpu.requestAdapter";
http.request_body;
content:"requestAdapter";
http.uri;
pcre:"/navigator\\.gpu\\.requestAdapter/P";
classtype:attempted-admin;
sid:9005281;
rev:1;
)
Zeek Script:
event http_entity_data(c: connection, fluid_type: string, is_orig: bool, data: string) {
if (is_orig && "navigator.gpu" in data) {
NOTICE([$note=CVE_2026_5281_EXPLOIT,
$msg="WebGPU API usage detected - possible Dawn exploit",
$conn=c]);
}
}
Fix Guide
Step 1: Check Current Version
Visit chrome://settings/help to check the version number:
- CVE-2026-2441 requires upgrade to: 145.0.7632.75/76 (Windows/Mac) or 144.0.7559.75 (Linux)
- CVE-2026-3909/3910 requires upgrade to: 146.0.7680.80
- CVE-2026-5281 requires upgrade to: 146.0.7680.177/178 (Windows/Mac) or 146.0.7680.177 (Linux)
Step 2: Manually Update Chrome
- Open Chrome
- Click the menu icon (⋮) in the top-right corner
- Select Help → About Google Chrome
- Browser automatically checks for and downloads updates
- Click Relaunch to complete the update
Step 3: Verify Build ID (Enterprise Users)
Visit: chromiumdash.appspot.com/serving?filename=chrome_versions.json
Search for the full version number corresponding to each CVE and confirm Build ID match.
Enterprise Deployment
Windows AD Domain Group Policy:
Computer Configuration → Administrative Templates → Google → Google Chrome → Updates
Enable "Automatic Update Check Period" set to "Daily"
Enable "Update Policy" set to "Always Allow Updates"
macOS Jamf/MDM:
#!/bin/bash
/usr/bin/softwareupdate -v -a --force
Linux (Chef/Ansible Example):
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install -y google-chrome-stable
# RHEL/CentOS
sudo yum update google-chrome-stable
Enterprise Mitigation Measures
1. Disable High-Risk Features (Temporary Mitigation)
Disable WebGPU (until confirmed updated):
- Chrome Policy:
DisableWebGPU→ Set to1 - Registry Path:
HKLM\SOFTWARE\Policies\Google\Chrome\DisableWebGPU
Disable WebGL:
- Chrome Policy:
DisableWebGL→ Set to1
Disable V8 Optimization (performance degradation, but increases exploitation difficulty):
- Launch parameter:
--js-flags=--jitless
2. Enable Chrome Sandbox Hardening
--enable-namespace-sandbox
--disable-dev-shm-usage
--no-sandbox (Linux test environments only)
3. Network Layer Protection
Squid Proxy Blocklist:
acl BLOCK_DOMAINS dstdomain .evil.com
http_access deny BLOCK_DOMAINS
IDS Rule Priority:
# Sorted by priority (lower numbers = higher priority)
9005281 - CVE-2026-5281 Dawn/WebGPU
9003910 - CVE-2026-3910 V8 WASM
9003909 - CVE-2026-3909 Skia OOB
9002441 - CVE-2026-2441 CSS Font
4. Browser Isolation
Recommended for high-risk user groups:
- Google Chrome Enterprise + BeyondCorp
- Citrix Workspace + Browser Isolation
- ZScaler Browser Isolation
Detection & Response Checklist
72-Hour Action Items
- Confirm all Chrome instance versions
- Push emergency updates
- Verify updates took effect
- Check SIEM/EDR alerts
Search Keywords (SIEM)
source=chrome "CVE-2026-5281" OR "CVE-2026-3909" OR "CVE-2026-3910" OR "CVE-2026-2441"
Log Retention Recommendations
- Chrome process logs: Retain 180 days
- Network proxy logs: Retain 365 days
- Sysmon event logs: Retain 180 days
Reference Links
- Google Chrome Releases: chromereleases.googleblog.com
- NVD CVE Database: nvd.nist.gov
- CISA KEV Catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- Chromium Issue Tracker: issues.chromium.org
- Chrome Enterprise Documentation: cloud.google.com/chrome-enterprise
Frequently Asked Questions
How many zero-day vulnerabilities did Chrome have in 2026?
Chrome had at least four confirmed zero-day vulnerabilities in 2026: CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. All four were confirmed as actively exploited in the wild before patches were available. These vulnerabilities affected approximately 3.5 billion Chrome users globally across Windows, macOS, and Linux platforms. CVE-2026-2441 and CVE-2026-5281 were rated Critical severity by NVD, while CVE-2026-3909 and CVE-2026-3910 were rated High (CVSS 8.8).
Is CVE-2026-5281 still dangerous after the patch?
CVE-2026-5281 is dangerous only if you have not updated Chrome. This critical use-after-free vulnerability in Dawn (Chrome's WebGPU implementation) was confirmed exploited in the wild before the patch was released. Update to Chrome 146.0.7680.177/178 or later on Windows/Mac, or 146.0.7680.177 on Linux, to be protected. As a temporary mitigation before updating, disable WebGPU via the DisableWebGPU policy or the --disable-webgpu launch flag.
How do I check if Chrome is updated to the latest version?
Visit chrome://settings/help in your Chrome browser to see the current version number. Compare it against the fixed versions: 145.0.7632.75/76 for CVE-2026-2441, 146.0.7680.80 for CVE-2026-3909 and CVE-2026-3910, and 146.0.7680.177/178 for CVE-2026-5281. Enterprise users can verify Build IDs against the official Chrome versions JSON at chromiumdash.appspot.com/serving?filename=chrome_versions.json.
What temporary mitigations work for Chrome zero-day vulnerabilities?
Temporary mitigations before updating include disabling WebGPU via DisableWebGPU policy (set to 1 in Windows Registry at HKLM\SOFTWARE\Policies\Google\Chrome\DisableWebGPU), disabling WebGL via DisableWebGL policy, and launching Chrome with the --js-flags=--jitless flag to reduce V8 exploitation surface. For network-layer protection, deploy IDS/SIEM rules targeting the CVE-specific IOCs. Chrome Enterprise customers can use BeyondCorp or browser isolation solutions as a defense-in-depth measure.
Related Docs
- Browser Fingerprint — fingerprint signals that can expose your browser identity to tracking systems
- Browser Features Check — audit API exposure and capability fingerprints across browser profiles
Related Tools
Last updated: 2026-04-11 | Data sources: Google Chrome Release Blog, NVD, CISA KEV