PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9930 Google CVE debrief

CVE-2026-9930 is an out-of-bounds write vulnerability in Dawn, the WebGPU implementation in Google Chrome on macOS. The flaw, rated High severity by Chromium security, was present in versions prior to 148.0.7778.216 and could be exploited by a remote attacker via a crafted HTML page to perform out-of-bounds memory writes. The vulnerability was disclosed on May 28, 2026, with the CVE record modified the following day. Dawn is Chrome's native WebGPU implementation, and this vulnerability represents a memory safety defect that could potentially lead to code execution or browser compromise. The issue has been assigned CWE-787 (Out-of-bounds Write). No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Google
Product
Chrome
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

macOS users running Google Chrome, particularly those accessing web applications utilizing WebGPU for graphics or compute workloads. Security teams managing browser deployments and patch management programs. Organizations with bring-your-own-device policies where Chrome browser versions may vary.

Technical summary

This vulnerability exists in Dawn, Chrome's WebGPU implementation, specifically on macOS platforms. The out-of-bounds write condition can be triggered when processing crafted HTML content, indicating insufficient bounds checking in GPU command buffer handling or shader compilation paths. The fix in version 148.0.7778.216 suggests correction of array index validation or buffer size calculations in the Dawn graphics subsystem.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome on macOS to version 148.0.7778.216 or later to remediate this vulnerability.
  • Monitor for stable channel security updates from Google Chrome release announcements.
  • Review browser security settings and consider enabling site isolation features as defense-in-depth.
  • Assess organizational exposure to WebGPU-enabled web applications that may trigger Dawn code paths.
  • Apply principle of least privilege for browser processes where feasible.

Evidence notes

Vulnerability description and severity rating sourced from official Chromium security advisory. CWE-787 classification confirmed via NVD source metadata. Affected product and version range explicitly stated in CVE description. Vendor attribution to Google Chrome based on source references from [email protected].

Official resources

2026-05-28