Skip to content
.ca
sign in
3 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-5281, a Use-After-Free vulnerability in Google Dawn, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-04-01reports

Authors: CISA

CVE-2026-5281Google DawnCISAUse-After-FreeKEV

Source:CISA

Key Takeaways

  • CISA added CVE-2026-5281 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability is a Use-After-Free flaw affecting Google Dawn.
  • There is confirmed evidence of active exploitation in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability per BOD 22-01.
  • All organizations are strongly urged to prioritize patching to reduce cyberattack exposure.

Affected Systems

  • Google Dawn (and applications embedding it, such as Chromium-based web browsers)

Vulnerabilities (CVEs)

  • CVE-2026-5281

Attack Chain

Threat actors are actively exploiting CVE-2026-5281, a Use-After-Free vulnerability in Google Dawn. Specific details regarding the attack chain, payload delivery, or post-exploitation activities are not provided in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert only mentions a vulnerability without providing specific exploit indicators, payloads, or post-exploitation behaviors. Network Visibility: Low — No network indicators or C2 patterns are provided in the alert. Detection Difficulty: Hard — Detecting the specific use-after-free exploitation without known payloads or crash signatures is difficult relying solely on this alert.

Required Log Sources

  • Vulnerability Management Scans
  • Application Crash Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected crashes or abnormal child processes spawning from applications utilizing Google Dawn (e.g., Chromium-based browsers), which may indicate attempted or successful exploitation of the use-after-free vulnerability.Process Execution, Application Crash LogsExecutionMedium

Control Gaps

  • Lack of timely patching for client applications and browsers

Key Behavioral Indicators

  • Application crashes related to WebGPU/Dawn components

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and patch all systems running vulnerable versions of Google Dawn or applications embedding it (e.g., web browsers).

Infrastructure Hardening

  • Implement robust vulnerability management and patch deployment pipelines to ensure rapid remediation of KEVs.

User Protection

  • Ensure user browsers and client applications are updated to the latest secure versions.

Security Awareness

  • Educate users on the importance of restarting browsers to apply pending updates.

MITRE ATT&CK Mapping

  • T1203 - Exploitation for Client Execution

Related