Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in Microsoft Sentinel
Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
KQL Detection Query
let suspiciousChromePaths = dynamic(['\\AppData\\Local\\Google\\Chrome\\', '\\Program Files\\Google\\Chrome\\']);
let lookback = 24h;
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(lookback)
| where InitiatingProcessFileName =~ 'chrome.exe'
| where InitiatingProcessCommandLine has_any ('--renderer', '--gpu-process', '--utility')
| join kind=inner (
DeviceEvents
| where Timestamp > ago(lookback)
| where ActionType in ('ExploitGuardNonMicrosoftSignedModuleLoaded', 'ExploitGuardControlFlowGuardViolated', 'MemoryProtectionViolation')
| where InitiatingProcessFileName =~ 'chrome.exe'
) on DeviceId, InitiatingProcessId
| extend RiskIndicator = case(
ActionType == 'ExploitGuardControlFlowGuardViolated', 'CFG Violation — likely UAF exploitation',
ActionType == 'MemoryProtectionViolation', 'Memory protection bypass',
ActionType == 'ExploitGuardNonMicrosoftSignedModuleLoaded', 'Unsigned module in Chrome',
'Suspicious Chrome event'
)
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ActionType, RiskIndicator, RemoteUrl
| order by Timestamp descDetects Chrome renderer or GPU process memory protection violations and CFG violations consistent with CVE-2026-5281 Dawn use-after-free exploitation, using Microsoft Defender for Endpoint telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Chrome extensions loading native modules may trigger unsigned module alerts
- Software testing environments running WebGPU workloads may produce benign memory events
- Antivirus or DLP products hooking Chrome processes may trigger CFG violations
Other platforms for CVE-2026-5281
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)
Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName
- Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)
Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log
- Test 3Detect Outdated Chrome Version via Endpoint Inventory Query
Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR
- Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)
Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log
Unlock Pro Content
Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.