CVE-2026-5281 CrowdStrike LogScale · LogScale

Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in CrowdStrike LogScale

Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)\\chrome\.exe$/
| CommandLine = /(?i)(--renderer|--gpu-process|--utility)/
| join (
    #event_simpleName in ("MemoryProtectionFaultEvent", "ExploitDetected", "InjectionCreateRemoteThread", "SuspiciousKernelApiCall")
    | ImageFileName = /(?i)\\chrome\.exe$/
    | table TargetProcessId, event_simpleName, ContextTimeStamp
) where [ProcessId] = [TargetProcessId] within 300s
| eval ExploitRisk = "CVE-2026-5281 Dawn UAF — Chrome renderer exploit suspected"
| table _time, ComputerName, UserName, CommandLine, event_simpleName, ExploitRisk
| sort _time desc
high severity medium confidence

CrowdStrike Falcon Hunting query correlating Chrome renderer/GPU subprocess process events with memory exploitation indicators (memory faults, injection, suspicious kernel calls) to detect CVE-2026-5281 exploitation.

Data Sources

CrowdStrike Falcon EDR

Required Tables

ProcessRollup2MemoryProtectionFaultEventExploitDetectedInjectionCreateRemoteThread

False Positives & Tuning

  • CrowdStrike sensor itself may instrument Chrome and appear in join results
  • Third-party password managers with browser extensions that hook renderer processes
  • Enterprise Chrome managed browser profiles with heavy extension usage

Other platforms for CVE-2026-5281

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)

    Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName

  2. Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)

    Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log

  3. Test 3Detect Outdated Chrome Version via Endpoint Inventory Query

    Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR

  4. Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)

    Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1055Process InjectionT1068Exploitation for Privilege Escalation

Same Tactic: Initial Access

Popular Detections