Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in Google Chronicle
Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_5281_dawn_uaf_exploitation {
meta:
author = "df00tech"
description = "Detects CVE-2026-5281 Google Dawn use-after-free exploitation via Chrome renderer anomalies"
severity = "HIGH"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /(?i)chrome\.exe$/
(
$e1.principal.process.command_line = /--renderer/ or
$e1.principal.process.command_line = /--gpu-process/ or
$e1.principal.process.command_line = /--utility/
)
$e1.principal.hostname = $host
$e2.metadata.event_type = "PROCESS_INJECTION"
$e2.principal.hostname = $host
$e2.target.process.file.full_path = /(?i)chrome\.exe$/
$e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds
$e2.metadata.event_timestamp.seconds <= $e1.metadata.event_timestamp.seconds + 300
condition:
$e1 and $e2
}Chronicle YARA-L rule detecting CVE-2026-5281 Dawn use-after-free exploitation by correlating Chrome renderer/GPU subprocess launch with subsequent process injection events within a 5-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Chrome extensions using native messaging hosts may appear as injections
- Corporate security tools instrumenting Chrome for DLP purposes
- Browser automation frameworks running on managed endpoints
Other platforms for CVE-2026-5281
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)
Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName
- Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)
Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log
- Test 3Detect Outdated Chrome Version via Endpoint Inventory Query
Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR
- Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)
Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log
Unlock Pro Content
Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.