Google disclosed a high-severity vulnerability on May 6, 2026, that could let any website you visit peek into your browser’s process memory. Tracked as CVE-2026-7924, the flaw sits inside Dawn, the WebGPU implementation in Chrome, and affects all Chromium-based browsers—including Microsoft Edge—before version 148.0.7778.96.

The bug is an uninitialized-use issue in the graphics layer, which means a specially crafted HTML page could coax the browser into reading memory that hasn’t been properly sanitized. That memory may contain anything from cryptographic tokens to browsing history, and attackers on the open web need nothing more than a page you load to exploit it.

Google patched Chrome for Windows, macOS, and Linux within days, and the updated build (148.0.7778.96 for Linux, 148.0.7778.96/97 for Windows/macOS) landed as part of a massive 127-security-fix update—one of Chrome’s largest point releases in recent years. Microsoft has confirmed the issue in its own Security Update Guide and says a fix for Edge is being prepared, but has not yet shipped a patched version to all channels.

The Bug at a Glance

CVE-2026-7924 is classified as an uninitialized-use in Dawn, Chromium’s low-level graphics abstraction layer that underpins WebGPU. In plain terms, the browser uses memory before it has been cleared, leaking whatever was previously stored there. The Chromium security team rated it “High,” while the CVSS 3.1 score from CISA landed at 6.5 (Medium).

The attack surface is the public internet. An attacker hosts a malicious webpage; you visit it; JavaScript on the page triggers the flawed graphics path; and the browser inadvertently exposes fragments of process memory that could include sensitive data. No special permissions, pop-ups, or downloads are required—just browsing.

Critically, this is an information-disclosure vulnerability, not a remote code execution bug. But in the browser world, memory leaks often serve as stepping stones for more sophisticated attacks by revealing memory layout, bypassing randomization defenses, or exfiltrating credentials. The advisory says it “could allow a remote attacker to obtain potentially sensitive information from process memory,” which is vague but alarming when you consider all the data a modern browser caches in RAM.

Your Risk Profile

Home users who let Chrome auto-update are already protected—if they’ve restarted the browser. The patch downloads silently, but running processes don’t refresh until you close and reopen Chrome. Many people leave their browser open for days or weeks; if you do, you’re still vulnerable even though the update is technically installed. Check chrome://settings/help to see your current version and relaunch if necessary.

The real headache is for IT administrators and enterprise environments. Here’s why:

  • Delayed update rings. Organizations often test browser updates before deployment, leaving thousands of users on vulnerable builds for days or weeks. Each day of delay is a day that a watering-hole attack or malicious ad could weaponize the flaw against your workforce.
  • Edge’s lag. Microsoft Edge is Chromium-based, so it inherits the vulnerability. Although the Microsoft Security Response Center (MSRC) has acknowledged CVE-2026-7924, the patch timeline for Edge can differ from Chrome’s—sometimes by hours, sometimes by longer if your Edge updates are managed through Windows Update or SCCM. On May 6, Microsoft stated it was “aware of recent Chromium security fixes” and “actively working,” but did not provide a version number or date for a fixed Edge build.
  • Electron and other Chromium forks. If your company uses Electron apps (Teams, Slack, VS Code, etc.), any embedded Chromium engines must also be patched. The NVD’s Common Platform Enumeration (CPE) record often lags behind, so vulnerability scanners may miss non-Chrome Chromium instances. Portable browsers, developer builds, and even custom kiosk browsers can all harbor the same flaw.

Developers and ISVs must audit any Chromium-derived runtimes they ship. The CVE metadata alone won’t flag Electron or WebView2 apps; you need to track the Chromium version inside each component and update accordingly.

What Happened Under the Hood

Dawn is the bridge between JavaScript’s WebGPU API and your computer’s GPU. When a website wants to run a complex 3D rendering, machine-learning model, or shader-based effect, Dawn marshals the commands, compiles shaders, allocates buffers, and schedules work on the graphics hardware. All of that happens inside the browser’s process, with strict sandboxing to prevent a compromised renderer from reading arbitrary memory.

CVE-2026-7924 occurs when a buffer (a chunk of GPU-accessible memory) is used before it has been initialized. In a normal flow, the browser sets aside a block of memory, clears it (or fills it with safe defaults), and then allows WebGPU operations to read from it. This flaw skips the clearing step. The result: whatever data was left in that memory from a previous operation—perhaps a previous website’s rendering, an image cache, or an authentication token—becomes visible to JavaScript on the attacker’s page.

The Chromium project’s rapid patch turnaround (the fix was included in the Chrome 148 stable release within a few days of internal discovery) reflects how seriously Google treats graphics pipeline bugs. But the root cause isn’t unique to Dawn. Any part of the browser that interacts with hardware drivers and memory management is vulnerable to similar mistakes, and the web platform is only adding more such interaction points with each new specification.

A Patch Juggernaut

Chrome 148 arrived as a security behemoth. The public-facing release notes counted 127 security fixes, including multiple critical vulnerabilities elsewhere in the browser stack—use-after-free flaws in the renderer, heap buffer overflows in media, and a sandbox escape potential in Mojo. CVE-2026-7924 was just one tile in that mosaic, but it stood out because it touched the modern graphics stack that many non-technical users barely know exists.

For Windows admins, the volume of fixes is a double-edged sword. On one hand, it’s reassuring that Google is aggressively stamping out bugs. On the other, a point update that patches over a hundred issues means there’s a lot of risk packed into pre-patch versions. If your change-control board is still treating browser updates as optional user-level applications, it’s time to reclassify them as critical security controls.

Your Action Plan

  1. Verify Chrome immediately. On managed Windows endpoints, force a browser relaunch if Chrome has been updated but not restarted. Use a management tool or script to check the version number remotely. Glance at chrome://version on a sample of machines.
  2. Check Edge as well. Since Microsoft’s patch isn’t yet released to all channels at time of writing, monitor the MSRC entry and your Edge update cadence. If you use Edge stable, you can’t rush the patch, but you can shorten the exposure by ensuring Edge is set to update automatically and that users aren’t blocking the process.
  3. Expand your Chromium inventory. Don’t rely solely on the CPE name “Google Chrome.” Scan for any process with “chrome” or “chromium” in its path, including Electron apps, Brave, Vivaldi, embedded WebView2 apps, and unsigned developer builds. Each one inherits the Dawn vulnerability until its respective vendor ships a Chromium update.
  4. Don’t be misled by CVSS 6.5. A medium-severity score under CVSS 3.1 feels benign, but CVSS scores don’t capture the ubiquity of browsers. A web-reachable information-disclosure bug in an application used by every employee, every day, is operationally severe. Triage based on exposure, not just numbers.
  5. Test faster, patch faster. Audit your browser update ring policies. If your test cycle for Chrome is longer than two days, you’re gambling. Consider accelerating security-only browser patches to a separate, faster track while leaving broader feature updates on a slower cadence.

Looking Ahead

CVE-2026-7924 won’t be the last WebGPU bug. As browser APIs absorb ever more native capabilities—GPU compute, machine-learning accelerators, advanced video codecs—the attack surface will grow, and the patch volume will keep pace. The lesson for Windows shops is clear: treat every Chromium-based browser as a core security component, require evidence of updates on every endpoint, and close the gap between “patch available” and “patch confirmed running.”

The immediate risk passes once your fleet is on fixed builds. The systemic risk remains: in a world where a memory-initialization bug in a graphics library can give strangers a window into your browsing session, patch latency is a liability that no CVE score can fully capture.