Google shipped an out-of-band update for Chrome on June 30, 2026, plugging a critical type-confusion hole in the browser’s Dawn graphics backend that puts Windows users at risk of remote code execution.
The vulnerability, tracked as CVE-2026-13776, is rated critical and allows a crafted webpage to corrupt memory in the GPU process, potentially breaking out of Chrome’s stringent sandbox and gaining control over the underlying operating system. The fix arrives in version 150.0.7871.47 for Windows, Mac, and Linux, and Google is urging users to install it immediately.
The Patch: Chrome 150.0.7871.47 Lands
The update, rolled out on June 30, addresses a single security bug: a type confusion in Dawn, the cross-platform WebGPU implementation that powers Chrome’s modern graphics stack. Type-confusion flaws occur when the code treats one data type as another, leading to out-of-bounds memory access. In Dawn’s case, the mistake happens inside the component that translates WebGPU shader programs, which runs outside the normal renderer sandbox in the GPU process. That makes the bug especially dangerous—if an attacker can exploit it, they might chain it with another flaw to escape the sandbox entirely and execute malicious code on the system.
Google’s advisory doesn’t go into technical detail, following its policy of withholding full bug descriptions until most users have applied the update. But the speed of the release—just a single fix and no other changes in the stable channel—signals urgency. Past critical Dawn bugs, such as CVE-2025-21456, were exploited in the wild within days of disclosure, and this one follows a similar pattern.
The patch bumps Chrome to 150.0.7871.47. To verify you’re protected, open the browser’s menu, go to Help > About Google Chrome. The version number appears there, and the browser will download the update automatically if it hasn’t already. A relaunch is required to complete the installation.
Wait, There’s a Catch for Vulnerability Scanners
As users rush to patch, security teams might run into a hiccup with the National Vulnerability Database (NVD). When CVE-2026-13776 first appeared, the NVD’s entry listed incomplete Common Platform Enumeration (CPE) data, which identifies affected software versions. Without accurate CPE strings, vulnerability scanners like Tenable or Qualys can’t reliably detect whether Chrome installations are vulnerable.
The NVD’s change history for the CVE shows that the CPE data was updated shortly after the initial publication, but the gap left a window where automated tools were blind to the flaw. For organizations relying on scan results to trigger patching, that delay matters. IT admins should not wait for scanner reports; they should push the update through enterprise management tools or group policies immediately.
Microsoft’s own security tools, such as Defender Vulnerability Management, pull from the NVD, so they suffered the same blind spot. As of July 1, the CPE data appears correct in the NVD feed, but admins should double-check that their scanners have ingested the latest database.
What Type Confusion in Dawn Means for Windows Users
Chrome’s architecture splits work into multiple processes, each locked down by sandboxes that restrict what the process can do. The main threat in this vulnerability is that the bug lives in the GPU process, which has more privileges than a typical renderer because it must talk directly to graphics drivers. A type confusion here could allow an attacker to write data beyond its intended memory boundary, corrupting memory in a way that eventually leads to code execution.
On Windows, the GPU process runs at a lower integrity level than the user, but a sandbox escape would let the attacker escalate to the user’s normal privileges—reading files, installing malware, or stealing credentials. In worst-case scenarios, combined with a kernel-level exploit, it could lead to full system compromise.
For the average home user, the risk is real but simple to mitigate: turn on automatic updates in Chrome. The browser checks for new versions every few hours by default and applies them on restart. If you leave Chrome running for days on end, you might have missed the update. A quick relaunch closes the gap.
Power users and gamers who push WebGPU limits—testing new demos, running graphics-intensive web apps, or experimenting with machine learning in the browser—are more exposed because they’re more likely to visit sites that trigger complex Dawn shader paths. Still, any website you browse could serve a malicious WebGPU payload, so everyone should patch.
How We Got Here: Dawn’s Growing Pains
Dawn is Google’s implementation of the WebGPU standard, which gives web apps low-level access to a computer’s GPU. It shipped as the default graphics backend in Chrome 113 back in May 2023, replacing the older WebGL-based stack. While WebGPU unlocks impressive performance for games and creative tools, it also opens a larger attack surface because the browser must parse and validate shader code from untrusted web sources.
Type-confusion bugs have plagued browser graphics stacks since their inception. In 2022, a similar flaw in Chrome’s old WebGL stack, CVE-2022-3075, earned a $20,000 bug bounty and was actively exploited. Dawn’s C++ codebase, which handles complex memory management for GPU resources, is particularly susceptible to these errors. Google’s own security research has repeatedly identified type confusion as one of the most common root causes for critical browser bugs.
The CVE-2026-13776 fix comes just four weeks after Chrome 149 addressed six high-severity Dawn bugs, suggesting either increased scrutiny from security researchers or a spike in vulnerabilities as WebGPU adoption grows. The NVD’s initial CPE stumble likely reflects the challenge of tracking fast-moving Chrome releases: the browser updates every two to three weeks, and NVD processes can lag behind.
Microsoft’s own Edge browser, built on Chromium, inherits the same Dawn code. Although Microsoft hadn’t issued a separate advisory at the time of publication, Edge’s about:flags page shows Dawn is enabled by default, meaning Edge users are equally vulnerable until Microsoft ports the patch—usually within a day or two of Chrome’s release. Edge 150.0.7871.47 or later will include the fix; check edge://settings/help to verify.
What to Do Now
For everyone:
1. Check and update Chrome now. Type chrome://settings/help in the address bar. If the version is less than 150.0.7871.47, the update will download. Click “Relaunch” to finish.
2. Enable automatic updates. If you’ve turned them off, go to chrome://settings/help and ensure the toggle is on.
3. Restart your browser regularly. Chrome can download updates in the background, but they only apply when you restart. If you see a green “Update” arrow in the top-right corner, click it.
For IT administrators:
- Push the update via your management console. Use Group Policy for Chrome (Google Update policies) to force an update to the latest version. The Chrome Browser Cloud Management can automate this.
- Verify Edge is updated. If your organization uses Edge, check for the corresponding version. Microsoft typically releases Chromium patches within 24–48 hours. Watch for an Edge release note referencing CVE-2026-13776.
- Don’t wait on vulnerability scanners. Until your scanner ingests the corrected NVD CPE data, it may report false negatives. Manually spot-check a sample of Windows endpoints to confirm Chrome is on 150.0.7871.47 or newer.
- Consider disabling WebGPU if you can’t patch immediately. As a stopgap, you can turn off Dawn by navigating to chrome://flags/#enable-unsafe-webgpu and setting it to “Disabled.” This breaks WebGPU-reliant sites but removes the attack vector. Do this only temporarily; patching is always better.
For developers:
- Audit your own WebGPU usage. If you maintain sites that use WebGPU, review your shader validation and ensure you’re not passing untrusted data to the GPU without strict type checks. While this CVE targets browser code, defense in depth never hurts.
Outlook: More Dawn Bugs Ahead
WebGPU’s adoption is still climbing, with major frameworks like TensorFlow.js and Babylon.js adding support, and Windows 11 now using WebGPU for certain native rendering tasks via WebView2. That growth means security researchers will keep digging. Google’s bug bounty program pays up to $15,000 for high-severity Dawn flaws, attracting careful eyes.
The NVD’s CPE hiccup serves as a reminder that vulnerability management isn’t fully automated; a human still must verify patches have landed. For Windows users, the takeaway remains simple: treat every Chrome critical advisory as a “patch now” event, because the browser’s weekly user base of over three billion makes it a permanent target.
Next, watch for Microsoft’s Patch Tuesday on July 14, 2026, where it may roll out a broader Chromium security update for Edge and any Windows components that embed WebView2. And keep an eye on Google’s Chrome Release Blog for any follow-up fixes—sometimes a critical patch needs a second update to close bypasses.