Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
AnalysisAI
Out-of-bounds memory read in the Dawn WebGPU implementation of Google Chrome prior to 149.0.7827.53 allows a remote attacker to access memory outside intended bounds via a crafted HTML page. Exploitation requires the victim to visit an attacker-controlled page, and no public exploit identified at time of analysis. Google rates the Chromium-internal severity as Medium, while NVD assigns CVSS 8.8 reflecting the broad impact on confidentiality, integrity, and availability if successfully triggered.
Technical ContextAI
Dawn is Chromium's open-source, cross-platform implementation of the WebGPU standard, providing a low-level GPU abstraction layer that translates WebGPU API calls into native graphics backends (Vulkan, Metal, D3D12). Because Dawn parses and processes attacker-influenced GPU command buffers and shader inputs originating from web content, bugs in its validation logic can yield memory-safety issues. The CWE-125 (Out-of-bounds Read) classification indicates that the implementation reads memory past the end (or before the start) of an intended buffer, which in a GPU/driver context can leak sensitive process memory or destabilize the renderer. The Buffer Overflow and Information Disclosure tags reinforce that the underlying defect involves boundary checks on Dawn-managed memory regions.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.53 or later on the Stable channel - update via Chrome's built-in updater or redeploy managed installs, then relaunch the browser to apply. Administrators of Chromium-derivative browsers and Electron apps should track their respective vendor advisories and rebuild against the patched Dawn version. As a compensating control until patches roll out, disable WebGPU by setting the chrome://flags/#enable-unsafe-webgpu flag to Disabled or via enterprise policy (the WebGPU feature can be turned off through the chrome://flags or via group policy by blocking chrome://gpu features), which removes the attack surface at the cost of breaking sites that rely on WebGPU rendering, ML inference, or accelerated graphics. Refer to the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and Chromium issue tracker entry https://issues.chromium.org/issues/500162791 for additional detail.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34539
GHSA-9p75-crhx-vjqc