COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-5281

CVE-2026-5281

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-04-01
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-5281
⚡ RCE ⌖ exploited in the wild shame 45/100 rceexploited-in-wildransomwaresupply-chain

Google Dawn (Chrome/Edge/Opera) use-after-free vulnerability enables remote code execution via crafted HTML.

A remote use-after-free flaw in Google Dawn allows attackers to execute arbitrary code through a malicious webpage, impacting all Chromium-based browsers. DIB orgs must patch immediately to prevent ransomware or espionage via compromised browser processes.

Shame score — A critical RCE vulnerability in a widely deployed browser product that is actively exploited, though not zero-day.

Players implicated

Google · vendorDawn · product

Description

Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Affected FedRAMP products 2 in the catalog

ProductProviderStatusMatch
Google Services (Google Cloud Platform Products and underlying Infrastructure) Google Authorized vendor-exact · 0.90
Google Workspace Google Authorized vendor-exact · 0.90