Hacker Pranks – Fake Hacking Simulations & Tech Pranks

**Zero-Day Alert: U.S. CISA Adds Flaw in Google Dawn to Known Exploited Vulnerabilities Catalog**

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the Google Dawn component of Chrome to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, tracked as CVE-2026-5281 with a CVSS score of 8.8, is a use-after-free bug that allows a remote attacker to execute arbitrary code via a crafted HTML page. As a result, Google has released an emergency update fixing the flaw and urging users to upgrade their browsers immediately.

**The Vulnerability in Detail**

Google Dawn is the WebGPU component used for graphics processing in Chrome. A remote attacker who has compromised the renderer process can exploit this vulnerability to execute arbitrary code on affected systems. The use-after-free (UAF) bug occurs when a program continues to use memory that has already been freed, allowing attackers to crash applications or execute malicious code. This type of bug is particularly concerning as it allows attackers to bypass security measures and gain unauthorized access to sensitive data.

**Exploitation and Impact**

According to CISA, this vulnerability affects multiple Chromium-based products, including Google Chrome, Microsoft Edge, and Opera. As a result, users are urged to update their browsers immediately to reduce the risk of attacks. The company has released updates for Chrome version 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux), which fix the CVE-2026-5281 vulnerability.

**The Broader Context: Zero-Day Exploitation**

This is not an isolated incident; CVE-2026-5281 is the fourth Chrome zero-day exploited in attacks in 2026 alone. The Binding Operational Directive (BOD) 22-01, "Reducing the Significant Risk of Known Exploited Vulnerabilities," requires federal agencies to address identified vulnerabilities by a specified due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

**What's Next?**

To stay protected, users must update their browsers immediately to reduce the risk of attacks. As usual, Google has not revealed technical details of the attacks exploiting this flaw or the type of attackers involved, giving users time to update and prevent others from exploiting it. CISA orders federal agencies to fix the vulnerability by April 15, 2026.

**Takeaways**

* A use-after-free bug allows a remote attacker to execute arbitrary code via a crafted HTML page. * CVE-2026-5281 affects multiple Chromium-based products, including Google Chrome, Microsoft Edge, and Opera. * Users must update their browsers immediately to reduce the risk of attacks. * Private organizations should review the Catalog and address the vulnerabilities in their infrastructure.

**Stay Informed**

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest security news and updates.

HACKER_BLOG

U.S. CISA ADDS A FLAW IN GOOGLE DAWN TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Hackers exploit TrueConf zero-day to push malicious software updates

Pierluigi Paganini

HACKER_BLOG

U.S. CISA ADDS A FLAW IN GOOGLE DAWN TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG

Hackers exploit TrueConf zero-day to push malicious software updates

Pierluigi Paganini

RELATED POSTS

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Attempts to Exploit Exposed "Vite" Installs (CVE-2025-30208), (Thu, Apr 2nd)

'By replacing a legitimate update with a malicious one, they turned the product’s update flow into a malware distribution channel': Experts find flaw in TrueConf video conferencing tool used by governments, military

Wait! Don't Go!