CVE-2026-5281 in Microsoft Edge (Chromium-based): Actively Exploited Zero-Day

📅 April 04, 2026 🔴 Exploit Risk: 0.512 📊 Intelligence Score: 69/100 📰 50 sources synthesized

TL;DR — Read this first

A high-severity use-after-free vulnerability (CVE-2026-5281) exists in the underlying Chromium engine used by Microsoft Edge.
CONFIRMED: This vulnerability is under active exploitation in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Immediate action required: Update all instances of Microsoft Edge to the latest version to mitigate this threat.

Intelligence Metadata

First Reported Bynvd.nist.gov

Outbreak Velocity1260 minutes spread to 3 unique domains

Consensus50 sources across 3 unique domains

CVSS Score7.5

EPSS Score0.03034 (approx. 90th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.5121

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-5281 is a use-after-free vulnerability within the Dawn component of the open-source Chromium project. Dawn is a graphics abstraction layer used for WebGPU. Microsoft Edge, being Chromium-based, inherits this vulnerability. The attack vector requires a user to navigate to a specially crafted webpage.

Upon visiting the malicious site, the flaw can be triggered, leading to a dangling pointer in memory. A threat actor can then manipulate memory to achieve arbitrary code execution within the context of the browser's sandboxed renderer process. While initial execution is sandboxed, this type of vulnerability is frequently chained with a sandbox escape (a separate vulnerability) to achieve full system compromise. The high-level of abstraction in components like Dawn can introduce complex memory management states that are prone to such flaws.

Affected Systems

Vendor: Microsoft

Affected Versions:

Microsoft Edge (Chromium-based)

Exposure: Publicly facing systems with user web browsing activity. Exploitation requires user interaction (visiting a malicious URL).

Blast Radius: High. Affects all systems running unpatched versions of Microsoft Edge.

Intelligence Context

The primary driver for immediate action is the CONFIRMED inclusion of CVE-2026-5281 in the CISA KEV catalog on 2026-04-01. This designation overrides the vulnerability's CVSS score of 7.5 and Microsoft's low vendor risk score, as it provides definitive evidence of in-the-wild exploitation. The 'ZERO-DAY RACE' label indicates that attackers were leveraging this flaw before or concurrent with patch availability, minimizing the window for defenders. The EPSS score of 0.03034 further supports this urgency, placing it in the top ~10% of vulnerabilities likely to be exploited. This combination of signals mandates that this vulnerability be treated as a top priority for patching.

Remediation & Defense

Patch immediately. Prioritize all user-facing systems with Microsoft Edge installed.

Patch Status: Available

Patch Version: Not available in provided data. Users should update to the latest version of Microsoft Edge.

Workarounds:

Ensure Microsoft Edge is configured for automatic updates, which is the default setting.
Limit browsing to trusted websites until patches can be verified.

Detection Hints:

Monitor for anomalous child processes spawned by `msedge.exe`, such as `cmd.exe` or `powershell.exe`.
Inspect EDR logs for evidence of browser process memory manipulation or injection.
Analyze network traffic for connections from browser processes to unknown or suspicious domains.

Source Timeline

nvd.nist.gov — First reporter
msrc.microsoft.com — Technical confirmation
cisa.gov/kev — Exploitation confirmation

CVE-2026-5281 Microsoft Edge Chromium Use-after-free KEV Zero-day