Google has rushed out a patch for yet another Chrome zero-day vulnerability being actively exploited in the wild — the fourth this year. If your not-for-profit hasn’t updated Chrome across all devices recently, now’s the time.

The vulnerability, tracked as CVE-2026-5281, is a use-after-free bug in Chrome’s Dawn component (the WebGPU implementation). As reported by The Hacker News, Google confirmed it’s being exploited in the wild and released Chrome version 146.0.7680.177/.178 for Windows, macOS and Linux to fix it. Use-after-free vulnerabilities let attackers execute arbitrary code on a victim’s machine — potentially gaining full access to the system just by getting someone to visit a malicious webpage.

This matters for not-for-profits more than most realise. NFPs typically run lean IT setups, and Chrome is the backbone of daily operations — Google Workspace for email and documents, cloud-based donor management platforms, volunteer scheduling tools, and online fundraising portals all run through the browser. A compromised Chrome instance could expose donor records, financial data, and sensitive client information. With four zero-days already in 2026, attackers are clearly investing heavily in browser exploits as an entry point.

The fix takes two minutes: open Chrome, click the three-dot menu, go to Help > About Google Chrome, and let it update. Do this on every machine in your organisation, including shared workstations and any devices used by volunteers. If you’re managing more than a handful of machines, consider a browser management policy that forces automatic updates. All IT Services can help NFPs set up centralised browser and patch management so you’re not relying on staff to remember to click “update.”