CVE-2026-9874: Critical Chrome Dawn WebGPU Use-After-Free — How to Detect Vulnerable Browsers on Your Network

A critical use-after-free in Chrome's Dawn WebGPU implementation could allow remote code execution via a malicious web page. Part of a massive 151-vulnerability Chrome 148 security update that included 22 critical flaws across Dawn, WebGL, and ANGLE GPU components.

The Vulnerability

CVE-2026-9874 is a use-after-free (CWE-416) in Dawn, Google's native WebGPU implementation that translates JavaScript WebGPU API calls into platform-specific GPU commands (Vulkan, Metal, D3D12). Google rates this vulnerability as Critical. Because Dawn operates at the boundary between the sandboxed renderer and native GPU drivers, use-after-free vulnerabilities in this component may potentially be leveraged for code execution beyond the renderer sandbox.

Why Dawn Matters

Dawn is the GPU abstraction layer that makes WebGPU work in Chrome. Every Chrome tab that uses WebGPU — 3D graphics, ML inference in the browser, GPU-accelerated compute — runs through Dawn. Because Dawn operates at the boundary between the sandboxed renderer process and native GPU drivers, memory-safety vulnerabilities in this component are particularly concerning. Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi share the same Dawn codebase.

Unlike actively exploited zero-days such as CVE-2026-5281 from March, Google has not reported active exploitation of CVE-2026-9874. However, the Critical severity rating and the $11,000 bounty signal confirmed high-impact exploitability. Bug details remain restricted until most users have updated.

The Chrome 148 Security Update

CVE-2026-9874 was patched as part of one of the largest Chrome security updates on record: 151 vulnerabilities in a single release, including 22 rated critical and 123 rated high severity. Multiple critical flaws targeted Chrome's GPU stack across Dawn, WebGL, and ANGLE.

The concentration of critical GPU-related vulnerabilities across Dawn, WebGL, and ANGLE in a single update underscores that Chrome's graphics stack is an actively targeted attack surface. All three components handle the translation between web content and native GPU operations — a high-privilege boundary that makes memory-safety bugs especially dangerous.

Investigation Workflow

Unlike server-side CVEs where you scan for exposed services, browser vulnerabilities require a different approach. You need to identify which machines on your network are running unpatched Chrome versions. Here's how to assess your exposure using RECON.

1. HTTP Headers: Detect Chrome Versions

When users access internal web applications, their User-Agent headers reveal browser versions. Use RECON's HTTP Headers tool against your internal web servers, proxies, or load balancers to inspect traffic. Any Chrome/148.0.7778.* version below .216 (Windows) or .215 (macOS/Linux) is vulnerable.

2. Port Scan: Find Chrome DevTools and Remote Debugging

Chrome instances with remote debugging enabled expose DevTools on port 9222 (default) or 9229. These are direct attack vectors — an attacker with network access to a debug port can execute arbitrary JavaScript in the browser. Scan your network for these ports. Any hit is both a configuration issue and a compounding factor for CVE-2026-9874.

3. DNS: Identify Chromium-Based Services

Chromium is embedded in Electron apps (Slack, VS Code, Teams, Discord), headless Chrome automation (Puppeteer, Playwright), and kiosk systems. Query internal DNS for common patterns: kiosk-*, signage-*, display-*. These embedded Chromium instances often lag behind Chrome's update cycle and may remain vulnerable longer.

4. CVE Lookup: Track Related Vulnerabilities

Use RECON's CVE Lookup to search for chrome dawn or webgpu to monitor the full cluster of Dawn vulnerabilities. With seven critical Dawn CVEs in this update alone, tracking the complete set ensures you don't miss related exposure.

Cross-Reference with External Data

Remediation

1. Update Chrome immediately. Ensure all managed browsers reach 148.0.7778.216+ (Windows), 148.0.7778.215+ (macOS/Linux). Verify via chrome://version. A browser restart is required to activate the update.
2. Update all Chromium-based browsers. Microsoft Edge, Brave, Opera, and Vivaldi share the same Dawn/WebGPU code. Check each vendor's update channel. Linux distro Chromium packages may lag behind.
3. Force auto-update. If you manage Chrome via Group Policy or MDM, verify that auto-updates are not blocked. Push a forced update via Chrome Enterprise policies with minimum version enforcement.
4. Verify Electron apps. Applications embedding Chromium (Slack, VS Code, Teams, Discord) ship their own Chromium binary. Verify the bundled Chromium/Electron version and vendor patch status — they are not automatically patched when Chrome updates.
5. Audit headless Chrome. CI/CD pipelines, web scrapers, and test automation using Puppeteer or Playwright run headless Chromium. Pin and update Chromium revisions in Docker images, Selenium grids, and CI configs.
6. Disable remote debugging. Kill any Chrome instances launched with --remote-debugging-port. This flag should never be enabled in production or on user workstations.
7. Consider disabling WebGPU on high-risk systems via Chrome enterprise policy WebGPUAllowed=false until patching is confirmed fleet-wide. This removes the Dawn attack surface entirely but may break WebGPU-dependent web applications.

Sources

• → NVD: CVE-2026-9874
• → Chrome Releases: Stable Channel Update
• → Dawn — Google's WebGPU Implementation
• → CISA KEV Catalog