CVE-2026-5281 Sumo Logic CSE · Sumo

Detect CVE-2026-5281 — Google Dawn Use-After-Free Exploitation in Sumo Logic CSE

Detects exploitation of CVE-2026-5281, a use-after-free vulnerability in Google Dawn (the WebGPU implementation used by Chrome). Exploitation may result in renderer compromise, sandbox escape, or arbitrary code execution via a malicious web page. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/windows OR _sourceCategory=endpoint/crowdstrike
| where process_name matches /(?i)chrome\.exe/
| where command_line matches /(?i)(--renderer|--gpu-process|--utility)/
| join (
    _sourceCategory=endpoint/windows OR _sourceCategory=endpoint/crowdstrike
    | where event_name matches /(?i)(exploit|memory.violation|control.flow|injection|shellcode)/
    | where process_name matches /(?i)chrome\.exe/
) as exploit_events on host=exploit_events.host
| count by _messageTime, host, user, command_line, exploit_events.event_name
| sort by _messageTime desc
high severity low confidence

Sumo Logic query correlating Chrome renderer subprocess events with exploit or memory violation telemetry to detect CVE-2026-5281 Dawn use-after-free exploitation attempts.

Data Sources

Sumo Logic Cloud SIEMWindows Event LogCrowdStrike

Required Tables

endpoint/windowsendpoint/crowdstrike

False Positives & Tuning

  • Endpoint security tools generating exploit events during normal Chrome WebGPU usage
  • Developer workstations running WebGPU experiments may produce renderer memory events
  • Chrome crash reporter activity that resembles memory fault telemetry

Other platforms for CVE-2026-5281

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Chrome Renderer Spawning Unexpected Child Process (Post-Exploitation Proxy)

    Expected signal: EDR process tree shows cmd.exe spawned as child of chrome.exe with --renderer flag; ProcessRollup2 event with atypical ChildFileName

  2. Test 2Trigger Chrome WebGPU Memory Fault via Malformed Shader (Lab)

    Expected signal: Chrome crash report written to %LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\; GPU process exit event in Windows Application log

  3. Test 3Detect Outdated Chrome Version via Endpoint Inventory Query

    Expected signal: PowerShell script block logging (Event ID 4104) records version enumeration; file access telemetry on chrome.exe from EDR

  4. Test 4Simulate CFG Violation in Chrome GPU Process (Windows CFG Test)

    Expected signal: Windows Defender ATP generates ExploitGuardControlFlowGuardViolated event for chrome.exe; CFG violation logged in Windows Security event log

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-5281 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1055Process InjectionT1068Exploitation for Privilege Escalation

Same Tactic: Initial Access

Popular Detections