PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9874 Google CVE debrief

A critical use-after-free vulnerability in Dawn, the WebGPU implementation in Google Chrome, enables potential sandbox escape via crafted HTML pages. The flaw was addressed in Chrome 148.0.7778.216. Dawn is Chrome's native WebGPU implementation that provides GPU acceleration for web applications. Use-after-free vulnerabilities in browser GPU subsystems are particularly dangerous as they can bridge the gap between renderer process compromise and full sandbox escape, granting attackers system-level access. The Chromium security team rated this Critical severity, indicating active exploitation risk or severe impact potential. Organizations should prioritize updating Chrome installations to version 148.0.7778.216 or later.

Vendor
Google
Product
Chrome
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations with Chrome deployments; security teams monitoring browser-based threats; developers using WebGPU APIs

Technical summary

Use-after-free in Dawn (Chrome's WebGPU implementation) allows remote attackers to escape the Chrome sandbox via malicious HTML. Root cause is improper memory management in GPU command buffer handling. Attack vector requires user interaction with crafted web content. Successful exploitation yields privileges outside the renderer sandbox.

Defensive priority

critical

Recommended defensive actions

  • Update Google Chrome to version 148.0.7778.216 or later immediately
  • Verify Chrome auto-update is enabled for managed endpoints
  • Monitor for unexpected GPU process crashes as potential exploitation indicators
  • Review browser extension policies to reduce attack surface from untrusted web content
  • Consider enabling site isolation for additional renderer sandbox hardening

Evidence notes

CVE published 2026-05-28; modified 2026-05-29. Chrome Stable Channel update released same day as CVE publication. Chromium issue 500609038 tracks the underlying bug. CWE-416 (Use After Free) confirmed by NVD source.

Official resources

2026-05-28