Description
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: 2026-04-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: Yes
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free vulnerability exists in the Dawn graphics engine used by Chromium/Chrome's rendering process; an attacker who can compromise the renderer with a crafted HTML page can trigger a memory corruption that leads to arbitrary code execution. The flaw is classified as CWE‑416 and CWE‑825, reflecting a use‑after‑free that allows an attacker to read and subsequently write memory out of bounds, resulting in potentially full system compromise once the renderer is under control.

Affected Systems

The vulnerability affects Google Chrome builds prior to version 146.0.7680.178 across all supported operating systems including macOS, Linux, and Windows, as indicated by the associated CPE entries. Any machine running the vulnerable Chrome version is exposed to the flaw.

Risk and Exploitability

The CVSS score of 8.8 denotes high severity, while the EPSS score of less than 1% suggests that automated exploitation may be infrequent. The entry is listed in the CISA Known Exploited Vulnerabilities catalog, confirming that attackers have already used this flaw in the wild. Exploitation requires an attacker to lure or compromise the renderer process, typically via a malicious web page that can inject crafted data into the rendering engine, making the attack vector remote and relying on the visitor loading the malicious content.

Generated by OpenCVE AI on April 21, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chrome version 146.0.7680.178 or later, which contains the necessary fix for the Dawn use‑after‑free bug.
  • Restart Chrome after the update to ensure the updated binaries are loaded and the vulnerable code is no longer in memory.
  • Confirm that Chrome’s auto‑update feature is enabled so future security patches are applied automatically.
  • If an immediate upgrade is not possible, use the browser’s safe browsing or content filtering controls to block untrusted web pages until a patch can be applied.

Generated by OpenCVE AI on April 21, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6192-1 chromium security update
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in Dawn
First Time appeared Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses CWE-825
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Google
Google chrome
Linux
Linux linux Kernel
Microsoft
Microsoft windows
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

kev

{'dateAdded': '2026-04-01T00:00:00+00:00', 'dueDate': '2026-04-15T00:00:00+00:00'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

threat_severity

Important

Wed, 01 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-02T03:55:36.436Z

Reserved: 2026-03-31T20:07:13.272Z

Link: CVE-2026-5281

cve-icon Vulnrichment

Updated: 2026-04-01T13:43:48.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T05:16:01.440

Modified: 2026-04-02T13:16:01.903

Link: CVE-2026-5281

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-31T00:00:00Z

Links: CVE-2026-5281 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses