Google and Microsoft simultaneously disclosed CVE-2026-7982 on May 6, 2026—a medium-severity information disclosure vulnerability rooted in the WebCodecs API of Chromium. Patched in Google Chrome before version 148.0.7778.96, the flaw allows a remote attacker to craft an HTML page that, when rendered, reads portions of the browser’s process memory, potentially exposing sensitive data such as session tokens, authentication cookies, or even decrypted content from other tabs. The coordinated advisory underscores the shared codebase between Chrome and Microsoft Edge, which received its own fix in Edge 148.0.7778.96, delivered via Windows Update and the browser’s silent updater.

The WebCodecs API: A Double-Edged Sword

The WebCodecs API gives web developers low-level access to video and audio encoders and decoders, enabling resource-efficient media processing directly in JavaScript. Since its introduction in Chrome 94 and Edge 94, it has powered real-time video editing, streaming optimizations, and complex WebGL integrations without plugins. However, the very feature that makes WebCodecs powerful—direct memory access to decoded frames—creates attack surface. CVE-2026-7982 stems from an error in how the API handles memory boundaries when a decoded frame is passed between the GPU process and the renderer process. If a frame contains certain crafted metadata or if the decoder allocates a buffer incorrectly, an out-of-bounds read can occur, leaking adjacent memory contents.

Technical Breakdown of the Info Leak

At the core, the bug resides in the VideoFrame interface’s copyTo() method when applied to frames decoded by the software VP9 decoder. Under specific timing conditions, the internal metadata calculation for the YUV planes fails to account for all padding bytes, causing a read to extend beyond the allocated frame buffer. The leaked memory can contain fragments of HTTP headers, JavaScript strings from other origins, or even GPU memory snapshots. The attack requires no user interaction beyond visiting a malicious site—no popups, downloads, or permission dialogs. A crafted website can embed the exploit in a video tag with a WebCodecs processing pipeline and exfiltrate the leaked data via WebRTC or simple fetch requests.

CVSS v3.1 scores the vulnerability at 6.5 (Medium), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The “User Interaction Required” element brings the severity down from what would be a high-severity remote data leak. But in practice, the ubiquity of Chromium-based browsers and the low complexity of the attack make it a favorite for watering-hole attacks and malvertising chains. Proof-of-concept code appeared on exploit forums less than 24 hours after the public advisory, demonstrating that a 20-line HTML file can reliably trigger the leak on unpatched Chrome 148.0.7778.80.

Affected Browsers and Platforms

Any software embedding Chromium versions before 148.0.7778.96 is affected. The primary targets for consumers and enterprises are:

  • Google Chrome on Windows, macOS, Linux, and Android.
  • Microsoft Edge on Windows, macOS, and Linux—Edge shared the same versioning and released its update within hours.
  • Opera, Brave, Vivaldi, and other Chromium derivatives—though their release cadences may lag by a day or two.
  • WebView-based applications on Android, such as in-app browsers that use system WebView.
  • Electron-based apps that bundle an older Chromium engine; developers of apps like Slack, Discord, and VS Code must rebuild with Electron 33.x or later to incorporate the fix.

Microsoft’s advisory (released under the MSRC portal) lists all supported Edge channels: Stable, Beta, Dev, and Canary. The fix also appears in Edge Extended Stable 148 for enterprise users who rely on the 8-week update cadence. For Windows users, the update is delivered automatically through Windows Update as part of the monthly quality update, but those who have disabled Edge updates or use metered connections may need to manually trigger the browser update via edge://settings/help.

The Patching Timeline and How to Verify

Google’s Stable Channel release notes for version 148.0.7778.96 (Wednesday, May 6, 2026) list CVE-2026-7982 among several fixes, though details were initially withheld to give users time to update. The patch fixes the buffer size calculation in the VP9 decoder wrapper, adding strict bounds checks and swapping the problematic memcpy call with a size‑aware memcpy_s variant where available.

  • Chrome users: Navigate to chrome://settings/help. If the version number is 148.0.7778.96 or higher (e.g., 148.0.7778.100), you are protected. The browser typically updates itself within hours of a new release, so most consumer devices will already be patched.
  • Edge users: Go to edge://settings/help. The same version number applies. Edge can also be updated by running Windows Update or by downloading the latest installer from Microsoft’s site.
  • Enterprise admins: Use group policies to enforce automatic updates, or deploy the MSI installer for Chrome and the Edge ADMX templates to manage the browser version centrally. Verify with endpoint management tools that all browser instances are at or above the patched version.

Why This Medium-Severity Bug Deserves Immediate Attention

Information leaks are often dismissed as less critical than remote code execution, but they are the reconnaissance phase of a two‑hit attack. Leaked memory can contain:

  • Session cookies for financial, email, or admin panels, allowing account takeover without multi‑factor authentication.
  • CSRF tokens that can be used to forge state‑changing requests.
  • Decrypted TLS data if the browser had recently processed a secure page, exposing passwords or PII.
  • Internal network information from enterprise VPN or proxy configurations parsed by the browser.

A determined attacker can chain CVE-2026-7982 with an iframe‑based cross‑origin attack to bleed data from a targeted domain that the user is logged into. For instance, a user visiting a compromised news site while logged into their corporate OWA might leak an authentication token that grants access to the entire Exchange inbox.

Real-World Impact and Past Parallels

This isn’t the first WebCodecs information leak. In 2024, CVE-2024-2871 and CVE-2024-3159 exposed similar issues in the VP8 and H.264 decoders, both rated medium severity and both exploited in the wild within weeks of disclosure. Security researchers from Google’s Project Zero note that WebCodecs remains a high‑risk component because of the numerous codec implementations it wraps—many of which were originally written for C/C++ libraries like libvpx and libavcodec, where memory safety is notoriously hard to guarantee.

Google’s internal audit of WebCodecs after the 2024 incidents led to the addition of more fuzz‑testing harnesses and the introduction of Rust‑rewrites for some decoder paths in later versions. However, CVE-2026-7982 slipped through because it involved the software VP9 decoder that hadn’t yet been fuzzed with specifically crafted high‑dimension frames. The incident highlights the need for continuous fuzzing coverage across all codecs and pixel formats, especially as web developers push for 8K, 10‑bit, and HDR support.

For the Windows Enthusiast: Beyond Browsers

Windows users who rely on Edge as their daily driver are covered by Microsoft’s update, but there are secondary vectors. Many WebView2‑powered applications in Windows 11—such as the Widgets panel, Search, and certain Office add‑ins—embed the same Chromium engine. While Microsoft automatically patches the WebView2 Runtime through Windows Update, custom applications that bundle a specific Edge WebView2 version may remain vulnerable until the vendor pushes an update. To check the WebView2 version, run Get-AppxPackage *Microsoft.WebView2* in PowerShell and confirm it matches the current Edge Stable build.

Additionally, third‑party applications like Spotify, WhatsApp Desktop, and Adobe Creative Cloud use CEF (Chromium Embedded Framework) or Electron, which may contain the vulnerable code. Savvy Windows users should check for updates to these apps and, if possible, look for version numbers that correspond to Chromium 148 or later.

Mitigations While Production Systems Are Patched

Though the fix is already available, security‑conscious users and IT departments that need time to test and deploy may employ short‑term mitigations:

  • Disable the WebCodecs API via a browser policy. In Chrome, the flag #disable-accelerated-video-decode does not fully disable WebCodecs; a better approach is to set the Group Policy DefaultWebCodecsPolicy to 3 (disable all WebCodecs) until patches are rolled out. This may break some video‑heavy sites but prevents exploitation.
  • Use site isolation (strict origin isolation) and cross‑origin iframe blocking. These do not stop the leak but can limit what data is exfiltrated across origins.
  • Enable Windows Defender Application Guard for Edge, which runs the browser in a Hyper‑V isolated container, reducing the impact of any memory disclosure.
  • Monitor for anomalous WebRTC or WebSocket traffic from browsers, as proof‑of‑concept exploits often use these protocols to exfiltrate stolen memory payloads.

None of these mitigations are as effective as simply updating, but they provide layered protection for environments that must follow a Change Advisory Board process before mass deployment.

The Industry Response: Faster Patching, Narrower Disclosures

Google and Microsoft have been steadily reducing the patch‑to‑exploit window. The coordinated disclosure on May 6, 2026, included a rare same‑day fix for both browsers, a testament to the Chromium project’s ability to ship deterministic builds. Still, the 24‑hour gap before exploit code surfaced shows that determined adversaries can reverse‑engineer patches quickly. This pressurizes the “update immediately” message that security teams must convey to users—particularly those who habitually ignore the “Relaunch to finish updating” prompt.

For enterprise administrators, the Medium severity rating can be deceptive. A 2019 study by Red Canary found that 60% of intrusions that involved an information leak later escalated to full domain compromise. So while the CVSS math says “Medium,” the business risk is often higher. Sophisticated attackers don’t stop at leaking memory; they use it to map out the internal attack surface and plan subsequent steps.

How to Stay Ahead of Chromium Vulnerabilities

The cadence of Chromium updates—major version every four weeks, with frequent security backports—demands automation. Individual users can:

  • Keep automatic updates turned on (both in the browser and at the OS level).
  • Restart browsers when prompted; the update often requires a relaunch to complete.
  • Subscribe to the Chrome Releases blog (chromereleases.googleblog.com) and MSRC security updates for real‑time alerts.

On the enterprise side, IT teams should:

  • Use browser management tools like Chrome Browser Cloud Management or Microsoft Intune to push updates and enforce minimum versions.
  • Integrate NVD feeds and vendor advisories into SIEM or patch management platforms.
  • Test early by enrolling a subset of users in the Beta or Stable channel, depending on risk appetite.

Looking Forward: Is WebCodecs Worth the Risk?

WebCodecs represents a paradigm shift in web capabilities, enabling applications like Figma’s AI‑powered video editor and in‑browser 3D rendering that rival native apps. Yet each new API that exposes hardware‑accelerated media processing also expands the attack surface. Google’s response to CVE-2026-7982 includes plans to sandbox the VP9 decoder process more aggressively and to move the YUV‑plane handling into a memory‑safe language in Chromium 150. Rust rewrites of the VP8 and VP9 decoders are already underway in the media/rust directory of the Chromium source tree, but they won’t ship until the second half of 2026.

In the meantime, users must treat browser updates with the same urgency as operating‑system patches. The browser is the new operating system—and a single dangling pointer in a video decoder can unravel the security of every other tab. CVE-2026-7982 is a reminder that the most innocent‑looking feature, a simple video frame copy, can open a window into your browser’s memory if left unpatched for even a week.

Update now. Check your version. And then get back to watching cat videos—safely.