CVE-2026-5281 in Google Chrome: Confirmed Exploitation in CISA KEV Catalog

📅 April 02, 2026 🔴 Exploit Risk: 0.500 📊 Intelligence Score: 67/100 📰 50 sources synthesized

TL;DR — Read this first

A high-severity vulnerability, CVE-2026-5281, affects Google Chrome.
The vulnerability is confirmed to be actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Immediate action is required: Ensure all instances of Google Chrome are updated to the latest version to mitigate this threat.

Intelligence Metadata

First Reported Bynvd.nist.gov

Outbreak Velocity1620 minutes spread to 4 unique domains

Consensus50 articles across 4 unique domains

CVSS Score7.5

EPSS Score0.00038 (0.038th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.5002

Race LabelZERO-DAY RACE

Technical Analysis

Technical details for CVE-2026-5281 are not available in the provided intelligence. However, its inclusion in the CISA KEV catalog provides CONFIRMED evidence of active exploitation. The vulnerability is part of a cluster of high and critical severity issues disclosed for Google Chrome, including CVE-2026-34156 (CVSS 9.9) and CVE-2026-34162 (CVSS 10.0). While those vulnerabilities have higher CVSS scores, CVE-2026-5281 is the only one with confirmed exploitation.

The attack vector is INFERRED to be remote code execution or security bypass initiated by a user visiting a malicious or compromised web page. The exploit's existence in the wild demonstrates that the preconditions for a successful attack are met by threat actors, making it a practical and immediate threat to endpoints running vulnerable versions of the browser.

Affected Systems

Vendor: Google

Affected Versions:

Google Chrome

Exposure: User endpoint systems. Exploitation occurs when a user navigates to a malicious web page with a vulnerable browser.

Blast Radius: High. The vulnerability affects one of the most widely deployed web browsers across Windows, macOS, and Linux operating systems.

Intelligence Context

The key intelligence signal for CVE-2026-5281 is its status as a CISA KEV entry, which overrides all other predictive metrics. Despite a very low EPSS score (0.038th percentile) suggesting a low probability of exploitation, the KEV listing provides ground truth that exploitation is actively occurring. This is a classic scenario where defenders must prioritize patching based on confirmed threat activity rather than predictive scoring. The 'ZERO-DAY RACE' label, combined with its recent addition to the KEV catalog (1 day prior), indicates that threat actors are actively leveraging this vulnerability and defenders are in a critical window to apply patches before widespread campaigns emerge.

Remediation & Defense

Patch immediately. The confirmed active exploitation (CISA KEV) makes this the highest priority for endpoint vulnerability management teams.

Patch Status: Available

Patch Version: Users should update to the latest version of Google Chrome immediately. Specific patched version numbers were not provided in the source intelligence.

Workarounds:

Ensure Google Chrome's automatic update feature is enabled and functioning.

Detection Hints:

Monitor endpoint security logs for suspicious process creation originating from chrome.exe.
Analyze network traffic for connections to untrusted domains initiated by browser processes.

Source Timeline

nvd.nist.gov — First reporter
cisa.gov — Exploitation confirmation (KEV)

CVE-2026-5281 google chrome kev zero-day vulnerability