Critical Chrome/Edge Zero-Day CVE-2026-5281 — Update Now
An actively exploited vulnerability in Chrome and Edge requires immediate patching. CISA added CVE-2026-5281 to its KEV catalog.
Google released an emergency patch for CVE-2026-5281, a use-after-free vulnerability in Dawn — the component handling WebGPU in Chrome. Versions before 146.0.7680.178 are vulnerable. Attackers can execute arbitrary code by luring users to a crafted web page.
This is the fourth actively exploited Chrome zero-day in 2026. CISA added it to the KEV catalog on April 1 with a federal remediation deadline of April 15.
Why This Matters for SMBs on M365
Most of our customers run Microsoft Edge, which is Chromium-based and affected by the same vulnerability. If your devices are managed through Intune, verify that Edge auto-updates to the correct version. Devices outside Intune management — BYOD, contractors, personal machines — are especially exposed.
Dawn/WebGPU is increasingly used by web applications for graphics and in-browser AI computation. The attack surface is growing.
What You Should Do
- Verify that
EdgeandChromehave updated to version146.0.7680.178or later on all managed devices - Create a compliance policy in
Intunethat flags devices running older browser versions - Review your update rings — make sure critical updates are not delayed by test phases
- Notify users with unmanaged devices to update manually
How HaggeBurger Can Help
We offer a quick browser security check (1-2 hours) where we verify version status and configure compliance policies in Intune. Need help? Contact us.
Source: CISA KEV | The Hacker News