The CISA vulnerability bulletin highlights newly discovered vulnerabilities each week.
Vulnerabilities use the Common Vulnerabilities and Exposures (CVE) naming system and are grouped by severity, as defined by the Common Vulnerability Scoring System (CVSS). High, medium, and low severities fall within these score ranges:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4 to 6.9
- Low vulnerabilities with a CVSS base score of 0.0 to 3.9
Some entries include extra details from organizations and CISA-sponsored efforts. This can be identifying information, definitions, or related links. Patch details are shared when available. Some information comes from open-source reports and is not directly from CISA.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in Google DOM, known as CVE-2026 (CVSS score 8.8), to its catalog of non-exploitable vulnerabilities (KEV).
This flaw is known as a use-after-free vulnerability, meaning the program improperly uses memory after it has been released. Specifically, it affects the Document Object Model (DOM) in older versions of Google Chrome. The DOM is a core browser technology that defines the structure of web pages and their graphics. A remote attacker could exploit this flaw by sending specially crafted HTML pages.
CISA says this vulnerability could affect several Chromium-based products, including Google Chrome, Microsoft Edge, and Opera.
This week, Google released Chrome updates that fix 21 vulnerabilities, including a zero-day (CVE-2026-5281) that is already being exploited.
Update your browser immediately to reduce risk. Prompt patching prevents compromise.
Google is aware that an exploit for CVE-2026-5281 exists in the wild, according to the advisory.
A use-after-free bug occurs when memory that has been released is still used by a program.
Attackers can use these bugs to crash apps or control systems. Google fixed the Chrome zero-day and recommends users update to version 146.0.7680.177/178.
As usual, Google did not reveal the technical details of the attacks exploiting this flaw or the types of attackers involved, giving users time to update and prevent others from exploiting it.
CBE 2026 5281 is the fourth Google Chrome zero-day to be exploited in attacks in 2026.
According to Building Operational Directive (BOD) 2201, the goal is to reduce the significant risk posed by unexploited vulnerabilities. FCED agencies are required to patch the identified vulnerabilities by the due date. Prompt patching is vital to protect their networks against attacks exploiting flaws in the catalog.
Experts also advise private organizations to urgently review the catalog and promptly apply patches for any vulnerabilities in their systems.
Federal agencies must patch the vulnerability by April 15, 202. Act quickly as exploitation is ongoing.
Source: Vulnerability Summary for the Week of January 27, 2025
