Google dropped an urgent update for Chrome on Tuesday, patching a high-severity vulnerability in the browser’s Dawn graphics engine that could let a remote attacker slurp sensitive information straight out of your computer’s memory. Tracked as CVE-2026-14408, the flaw affects all desktop versions of Chrome and requires an immediate update to version 150.0.7871.46.

What Changed in the Engine Room

The bug sits in Dawn, the open-source library that powers Chrome’s WebGPU and WebGL implementations. Dawn acts as a translator between JavaScript graphics commands and the native GPU APIs on Windows, macOS, and Linux. It handles shader compilation, command buffers, and memory allocation for all GPU-accelerated content you see in the browser — from 3D games and interactive visualizations to hardware-accelerated video rendering.

CVE-2026-14408 is an uninitialized memory issue. When certain WebGPU operations run, Dawn can fail to zero out a buffer before using it. That means the buffer retains whatever data was stored in that memory location previously — possibly from another website, a browser extension, or the GPU driver itself. If an attacker crafts a malicious webpage, they can trigger the condition and then read that leftover data, extracting fragments of sensitive information.

Google’s advisory classifies the vulnerability as “high” severity because it allows remote attackers to “obtain potentially sensitive information from process memory” without any click or interaction from the user beyond visiting a page. It’s worth emphasizing that this is not a memory leak in the traditional sense — memory isn’t being exhausted — but an information leak that punches holes in Chrome’s site isolation and sandbox defenses. Full technical details remain under wraps until most users have updated, a standard practice to slow down exploitation.

Who’s at Risk and What’s at Stake

Every Chrome user on desktop is potentially exposed. The attack vector is a drive-by: you visit a malicious website, and the page’s WebGPU or WebGL calls trigger the uninitialized buffer read. No pop-ups, no downloads, no clicks. Attackers could host the exploit on a compromised site or deliver it through malvertising.

The types of data that could be scraped are the stuff of nightmares. Process memory on a modern browser contains an ever-shifting mix of your browsing history, session cookies, autofill passwords, cryptocurrency wallet credentials, and even decrypted TLS traffic. An information leak like this can be the first step in a larger chain — revealing a login cookie, for instance, that allows an attacker to hijack your online banking session.

Businesses face amplified risk. A single unpatched Chrome instance on a corporate network becomes a gateway for attackers to siphon internal documents, email tokens, or VPN credentials. DevOps teams and IT managers with privileged access to cloud dashboards through the browser are particularly lucrative targets. And while CVE-2026-14408 specifically affects Chrome, the entire family of Chromium-based browsers — Microsoft Edge, Brave, Opera, Vivaldi, and others — may carry the same flaw until their vendors pick up the upstream fix. Edge, in particular, typically releases a patched build within a day or two, but the delay window is one that attackers actively scan for.

Mobile Chrome is not mentioned in Google’s advisory, and the Dawn component is desktop-only (Android and iOS use different graphics stacks), so phones and tablets are not vulnerable this time.

The Road to Patch 150.0.7871.46

Chrome’s update machinery is one of the fastest in the industry, and this case is no exception. Google releases stable channel refreshes roughly every two weeks, with out-of-band emergency fixes for zerodays that are under active attack. CVE-2026-14408 was folded into a scheduled update rather than an emergency release, suggesting that the company does not see evidence of exploitation in the wild — yet.

The vulnerability was reported to the Chrome Vulnerability Rewards Program by an external researcher, a detail that Google acknowledged in the release notes. While the bounty amount wasn’t disclosed, information leaks that break sandbox boundaries typically command payouts between $2,000 and $5,000. The fix itself was a straightforward change in Dawn’s buffer allocation logic to ensure memory is always zero-initialized before use.

This is Chrome 150’s second stable refresh since its debut. The initial 150.0.7871.35 build shipped with the usual payload of new features and security fixes, but this 150.0.7871.46 point release is purely a security rollup. Alongside CVE-2026-14408, Google squashed five other bugs, all rated high or medium. The update leaves the user-facing Chrome 150 feature set untouched — your browser will look and behave exactly the same, just without the leaking memory.

What You Need to Do Now

If you’re a home user:

  1. Open Chrome. Click the three-dot menu in the top-right corner. Go to Help > About Google Chrome. The page will automatically check for updates and download version 150.0.7871.46.
  2. When the download finishes, click Relaunch. Chrome will restore your open tabs, but save any work in progress to be safe.
  3. After restart, verify the version by typing chrome://version in the address bar and checking the top line.
  4. If you use any other Chromium-based browser (Edge, Brave, Opera), repeat the same process in that browser: Edge’s update check is under Settings and more > Help and feedback > About Microsoft Edge.

This update is too risky to defer. Relaunching might be a minor inconvenience, but the alternative is a browser that could be leaking your data to any site you visit.

If you’re an IT administrator:

  • For managed Windows fleets, deploy the new MSI or PKG immediately through your standard software distribution pipeline (SCCM, Group Policy, Intune, or Jamf). The MSI installer is available on the Chrome Enterprise download page.
  • If you use Chrome Browser Cloud Management, push the update policy to all enrolled browsers. Force a relaunch during the next maintenance window or after hours to minimize disruption.
  • For unmanaged but corporate-owned devices, send an internal communication with simple step-by-step instructions and a hard deadline — ideally within 24 hours.
  • Keep an eye on your Chromium-based ecosystem. Edge’s stable channel typically receives the Dawn fix within 48 hours of Chrome’s release. Check your update rings and override any delay policies temporarily to accelerate the patch.
  • Watch for any spikes in unusual network activity, especially connections to unfamiliar IPs from devices that haven’t yet updated. While there’s no known exploit for CVE-2026-14408, the window between patch and reverse-engineered exploit is shrinking.

For developers and early adopters:

If you build WebGPU applications or shaders, test them on 150.0.7871.46. The zero-initialization fix may alter undefined behavior you were inadvertently relying on. This is a good moment to check your code for any assumptions about uninitialized memory.

Outlook: A Graphics Engine in the Crosshairs

WebGPU is one of Chrome’s most exciting frontiers. It brings near-native GPU performance to the web, unlocking sophisticated machine learning, data visualization, and gaming. But the complexity that makes it fast also makes it a rich attack surface. Dawn sits at the intersection of the web platform and the bare metal, and every new feature or optimization risks introducing subtle memory bugs like this one.

Google’s ability to patch CVE-2026-14408 within a regular release cycle is reassuring, but the burden of staying safe still rests on users and IT teams. Automatic updates are the best defense, but Chrome’s silent background updater can lag by hours or days on slower connections. A manual check is the only way to be certain.

Looking ahead, expect more of these disclosures. Chromium’s bug bounty program has been incentivizing researchers to dig into GPU-related components, and they’re finding results. For now, the message is clear: this is not the Chrome update to procrastinate. The tab you leave open tomorrow could be the one that gives an attacker the key to much more.