CVE-2026-5281 Splunk · SPL

Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in Splunk

Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=endpoint sourcetype=crowdstrike:events:sensor OR sourcetype=windows:sysmon:xml
| where process_name="chrome.exe" OR ImagePath LIKE "%chrome.exe"
| eval is_renderer=if(like(CommandLine, "%--renderer%") OR like(CommandLine, "%--gpu-process%") OR like(CommandLine, "%--utility%"), 1, 0)
| where is_renderer=1
| join type=left process_id [
    search index=endpoint sourcetype=crowdstrike:events:sensor event_simpleName IN ("InjectionCreateRemoteThread", "MemoryProtectionFaultEvent", "ExploitDetected")
    | rename ContextProcessId as process_id
    | table process_id, event_simpleName, TargetProcessId
]
| eval exploit_indicator=if(isnotnull(event_simpleName), "Possible UAF exploit attempt in Dawn/WebGPU renderer", null)
| where isnotnull(exploit_indicator)
| stats count by _time, host, UserName, CommandLine, event_simpleName, exploit_indicator
| sort -_time
high severity medium confidence

Detects Chrome renderer subprocess memory exploitation events (CFG violations, injection, memory faults) consistent with CVE-2026-5281 Dawn use-after-free via CrowdStrike and Sysmon telemetry.

Data Sources

CrowdStrike FalconSysmonSplunk Enterprise Security

Required Sourcetypes

crowdstrike:events:sensorwindows:sysmon:xml

False Positives & Tuning

  • Security tools with deep Chrome integration may inject into renderer processes legitimately
  • Corporate endpoint management software may trigger memory events in Chrome
  • Automated browser testing frameworks (Selenium, Playwright) running on endpoints

Other platforms for CVE-2026-5281

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)

    Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName

  2. Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)

    Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log

  3. Test 3Detect Outdated Chrome Version via Endpoint Inventory Query

    Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR

  4. Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)

    Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1055Process InjectionT1068Exploitation for Privilege Escalation

Same Tactic: Initial Access

Popular Detections