Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Requires a pre-compromised renderer (PR:L) and victim loading crafted content (UI:R, AC:H); success crosses the sandbox boundary (S:C) with full host-process impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
AnalysisAI
Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker has ALREADY compromised the Chrome renderer process - this is the explicit, non-negotiable prerequisite stated in the CVE, meaning this is a second-stage sandbox-escape primitive, not a standalone entry point. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8) treats this as network-reachable and unauthenticated, but the description explicitly requires that the attacker has ALREADY compromised the renderer process - a significant precondition the raw CVSS score does not capture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first compromises the Chrome renderer via a separate bug (or a malicious/compromised website), then serves a crafted HTML page that issues malformed WebGPU calls into Dawn to trigger the type confusion. Exploiting the resulting memory corruption, the attacker escapes the renderer sandbox to run code with the higher privileges of the browser/GPU process. … |
| Remediation | Update to Google Chrome 150.0.7871.47 or later on all desktop platforms - Vendor-released patch: 150.0.7871.47, per the Chrome Stable channel advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Chrome desktop deployments across the organization and assess user count. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40462
GHSA-898f-rrwc-rgmx