Update Chrome Now. Update FortiClient Now. Here's Why.

John Z Black Apr 6, 2026 Vulnerabilities & Patching #Chrome #Fortinet #zero-day #CVE-2026-5281 #CVE-2026-35616 #CISA KEV #patch advisory

Two critical vulnerabilities are under active exploitation right now. Both have patches. Both need your attention before anything else today.

Chrome: CVE-2026-5281

A use-after-free bug in Dawn, Chrome’s WebGPU engine, affects every Chromium-based browser. That’s Chrome, Edge, Opera, Brave, and more. Roughly 3.5 billion users. It’s a sandbox escape that turns a renderer compromise into full code execution. This is Chrome’s fourth zero-day of 2026.

CISA added it to the KEV catalog on April 1 with a remediation deadline of April 15. Don’t wait that long.

Patch to: Chrome 146.0.7680.177 or later. Update every Chromium browser in your environment, not just Chrome.

Fortinet: CVE-2026-35616

A pre-auth API bypass in FortiClient EMS (versions 7.4.5 and 7.4.6) that hands attackers admin access to your endpoint management server. CVSS 9.1. No credentials needed. A compromise here could cascade to every managed endpoint.

Exploitation started March 31. Easter weekend. That timing wasn’t accidental.

This is Fortinet’s second emergency patch for FortiClient EMS in weeks. The previous one, a SQL injection bug also rated 9.1, came under active exploitation just days earlier. Two critical pre-auth vulnerabilities in the same product in rapid succession. That’s a pattern worth paying attention to.

Patch now: Hotfixes are available for both 7.4.5 and 7.4.6. Don’t wait for 7.4.7.

Don’t schedule these for next week’s change window. The exploits are live. The patches are out. Go.

Get the full attack chain details and version-specific patch guidance