Google fixes fourth Chrome zero-day exploited in attacks in 2026

bleepingcomputer.com · rkhunter_ · 19 hours ago · news
quality 7/10 · good
0 net
Tags
apple browser buffer-overflow cve exploit google malware microsoft node
Entities
CVE-2026-2441 CVE-2026-3909 CVE-2026-3910 CVE-2026-5281
Google fixes fourth Chrome zero-day exploited in attacks in 2026 Home News Security Google fixes fourth Chrome zero-day exploited in attacks in 2026 Google fixes fourth Chrome zero-day exploited in attacks in 2026 By Sergiu Gatlan April 1, 2026 06:25 AM 0 Google released emergency updates to fix another Chrome zero-day vulnerability exploited in attacks, marking the fourth such security flaw patched since the start of the year. "Google is aware that an exploit for CVE-2026-5281 exists in the wild," Google said in a security advisory issued on Tuesday. As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in Dawn , the underlying cross-platform implementation of the WebGPU standard used by the Chromium project. Attackers can exploit this Dawn security flaw to trigger web browser crashes, data corruption, rendering issues, or other abnormal behavior. While Google has found evidence that threat actors were exploiting this zero-day flaw in the wild, it did not share details about these incidents. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company noted. ​Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177). While Google says that this out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates today. If you don't want to update the browser manually, you can also have it check for updates at the next launch and install them automatically. This is the fourth actively exploited Chrome zero-day patched since the start of the year. The first (CVE-2026-2441) was an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), which Google addressed in mid-February . Google patched two other Chrome zero-day bugs exploited in attacks earlier this month: the first is an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and the second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910). In 2025, Google fixed a total of eight zero-days exploited in the wild , many of which were discovered and reported by Google's Threat Analysis Group (TAG), which is known for tracking and identifying zero-day exploits used in spyware attacks. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Google fixes two new Chrome zero-days exploited in attacks Google patches first Chrome zero-day exploited in attacks this year Google: 97 zero-days exploited in 2024, over 50% in spyware attacks Android gets patches for Qualcomm zero-day exploited in attacks Google Chrome shifts to two-week release cycle for increased stability Emergency Update Google Google Chrome Web Browser Zero-Day Sergiu Gatlan Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Cisco source code stolen in Trivy-linked dev environment breach Hackers compromise Axios npm package to drop cross-platform malware Hackers exploiting critical F5 BIG-IP flaw in attacks, patch now Sponsor Posts A unified control plane for all identities, human, non-human, and agentic. 5 Things to Measure in an AI-Driven SOC (That Didn't Exist Before) Is your program ready for agentic GRC? See what shift enterprise teams need to make. Attackers aren’t breaking in. They’re logging in. See how these intrusions unfold Synthetic Identities, Proxies & Real Identities for Sale, is yours next? Upcoming Webinar Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT
← Back to stories