Google Chrome fixed two high-severity use-after-free vulnerabilities in the Dawn component, tracked as CVE-2026-5281 and CVE-2026-5286, in versions prior to 146.0.7680.178. Both flaws could let a remote attacker trigger arbitrary code execution via a crafted HTML page, with one advisory noting exploitation after compromise of the renderer process and the other describing user-driven page loading as the attack path.
Both CVEs are classified as CWE-416 and carry the same CVSS v3.1 vector, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting high impact to confidentiality, integrity, and availability. The records were updated with severity details and references to Chrome release notes and Chromium issue tracker entries, underscoring the need for organizations to move Chrome deployments to 146.0.7680.178 or later.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The CVE entries were updated with vulnerability descriptions, CWE-416 classification, CVSS v3.1 scoring, and references to Chrome release notes and Chromium issue tracker entries. Both vulnerabilities were classified by Chromium as High severity.
Google addressed CVE-2026-5281 and CVE-2026-5286, two high-severity use-after-free vulnerabilities in Dawn, in Google Chrome version 146.0.7680.178. The flaws could allow arbitrary code execution via a crafted HTML page, with CVE-2026-5281 requiring prior renderer compromise.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.