CVE-2026-5281 Elastic Security · Elastic

Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in Elastic Security

Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id, process.entity_id with maxspan=5m
  [process where event.type == "start"
    and process.name == "chrome.exe"
    and process.args : ("--renderer", "--gpu-process", "--utility")]
  [any where event.category == "memory" or event.action in (
    "exploit-prevented",
    "shellcode-thread",
    "control-flow-violation",
    "memory-protection-fault"
  ) and process.name == "chrome.exe"]
high severity medium confidence

EQL sequence rule correlating Chrome renderer/GPU process start with subsequent memory exploitation events, indicative of CVE-2026-5281 Dawn use-after-free exploitation.

Data Sources

Elastic Endpoint SecurityElastic SIEM

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.security-*

False Positives & Tuning

  • Elastic Endpoint preventions on legitimate WebGPU content may generate false positives
  • Browser automation tools triggering GPU process memory events
  • Endpoint hardening tools that monitor Chrome renderer memory activity

Other platforms for CVE-2026-5281

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)

    Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName

  2. Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)

    Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log

  3. Test 3Detect Outdated Chrome Version via Endpoint Inventory Query

    Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR

  4. Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)

    Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1055Process InjectionT1068Exploitation for Privilege Escalation

Same Tactic: Initial Access

Popular Detections