CVE-2026-5281 IBM QRadar · QRadar

Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in IBM QRadar

Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as EventTime,
       sourceip, destinationip, username,
       QIDNAME(qid) as EventName,
       "Process Name", "Command Line"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'CrowdStrike Falcon')
  AND ("Process Name" ILIKE '%chrome.exe%')
  AND ("Command Line" ILIKE '%--renderer%'
    OR "Command Line" ILIKE '%--gpu-process%'
    OR "Command Line" ILIKE '%--utility%')
  AND (QIDNAME(qid) ILIKE '%exploit%'
    OR QIDNAME(qid) ILIKE '%memory violation%'
    OR QIDNAME(qid) ILIKE '%control flow%'
    OR QIDNAME(qid) ILIKE '%injection%')
LAST 24 HOURS
ORDER BY starttime DESC
high severity low confidence

QRadar AQL query identifying Chrome renderer and GPU process exploitation events correlated with known exploit and memory violation event categories consistent with CVE-2026-5281.

Data Sources

IBM QRadarWindows Security Event LogCrowdStrike Falcon DSM

Required Tables

events

False Positives & Tuning

  • Security scanning tools generating exploit-category events against Chrome
  • Endpoint DLP products injecting into Chrome renderer processes
  • Chrome enterprise policies enforcing GPU blocklisting may generate unusual process args

Other platforms for CVE-2026-5281

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)

    Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName

  2. Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)

    Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log

  3. Test 3Detect Outdated Chrome Version via Endpoint Inventory Query

    Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR

  4. Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)

    Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1055Process InjectionT1068Exploitation for Privilege Escalation

Same Tactic: Initial Access

Popular Detections