Google pushed out Chrome 150.0.7871.47 on June 30, 2026, patching an information-disclosure flaw in the browser’s WebGPU engine that the National Vulnerability Database initially labeled low-risk—only for CISA’s Vulnrichment program to double its severity a day later. The vulnerability, tracked as CVE-2026-14061, marks the latest in a growing list of Chromium Dawn bugs that have users and admins questioning whose risk scoring to trust.
The Patch That Shipped With Two Scores
Chrome’s stable channel update to version 150.0.7871.47 delivered a fix for a bug in Dawn, the open-source library that powers Chrome’s WebGPU implementation. The flaw allows a crafted web page to read data from GPU memory, essentially leaking information that should stay sandboxed. No exploitation in the wild was observed at release, and the Chromium team rated the issue as low severity internally.
When the U.S. National Vulnerability Database published its entry for CVE-2026-14061 on June 30, it stuck with the vendor’s "low" classification and assigned a CVSS v3.1 base score of 3.3—possible only if an attacker already has a foothold on the local system. But by July 1, the Cybersecurity and Infrastructure Security Agency’s Vulnrichment feed had bumped the score to 6.5 Medium, citing a revised attack vector and potential impact to confidentiality.
The discrepancy sits in how the two agencies model the attack. NVD scores the flaw as requiring physical access—where an adversary actually sits at the keyboard—while CISA’s enriched analysis treats the browser as a network-facing application with no user interaction needed beyond visiting a malicious site. Both interpretations are technically correct: the Dawn bug needs a crafted WebGPU shader, which a webpage can deliver, but the actual memory exposure is limited to the GPU process, not the kernel or system files.
Compounding the confusion is a Common Platform Enumeration (CPE) mismatch first flagged by vulnerability scanners. NVD’s CPE strings list the affected product as chrome:*:*:*:*:*:*:*:*, which tools like Tenable and Qualys sometimes fail to match against installed Google Chrome instances because of an extra colon in the version wildcard. CISA’s data uses a corrected string cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*, forcing admins to manually reconcile scan results.
What a Metadata Clash Means for You
For the 3.4 billion people running Chrome, the immediate takeaway is simple: update. The flaw itself does not provide remote code execution, and the information leaked is typically limited to GPU memory layouts, shader contents, or texture data—useful to a sophisticated attacker trying to break WebGPU’s process isolation, but not an open door to your passwords. Home users who turn on automatic updates are already protected; the patch rolled out three days ago and Chrome’s silent updater has likely applied it by now.
Enterprise and IT teams face a tangly decision. Vulnerability management platforms that ingest NVD feeds will display a low CVSS and might not flag the update for out-of-cycle deployment. But any organization that also pulls CISA Vulnrichment—increasingly common after NVD’s 2024 backlog fiasco—will see a medium alert. The difference in scoring could mean the patch gets deployed in the standard monthly cycle instead of within 48 hours, as many infosec policies require for medium-or-higher CVEs.
Security analysts at several managed service providers I spoke with are advising clients to treat CVE-2026-14061 as medium and apply the update alongside their regular Chrome patch cycle, because WebGPU is still a relatively fresh attack surface. "We’ve seen enough Dawn memory disclosures over the past year to know that chaining one with a browser sandbox escape isn’t theoretical," said an engineer who requested anonymity because he wasn’t authorized to speak to the press. "CISA’s bump reflects that reality."
Developers building WebGPU applications should pay attention as well. The bug resides in Dawn’s buffer allocation paths, meaning custom apps using the library outside of Chrome (such as Electron-based tools or native WebGPU implementations) might be vulnerable if they haven’t applied Chromium’s patch backport. The fixed revision of Dawn is tagged at chromium/150.0.7871.47; anyone rolling their own binary should rebuild with that commit.
How We Got to This Two-Headed Severity System
The gap between NVD and CISA isn’t new, but it’s been widening since 2024. NVD, managed by the National Institute of Standards and Technology, traditionally relied on vendor-supplied metrics and supplemented with its own analysis using the CVSS calculator. After a well-publicized funding shortfall caused NVD to nearly stop enriching vulnerabilities for months, CISA stepped in with its Vulnrichment program, adding analyst notes, exploitability scores, and corrected CPE data. The result is a kind of dueling severity rating—one official but sometimes stale, the other informal but often more aggressive.
Chromium’s Dawn component has been a particular spotlight for this conflict. WebGPU shipped in Chrome 113, exposing a new low-level graphics API that necessitated a complex security boundary between the browser and GPU. Since 2023, over two dozen Dawn memory-related vulnerabilities have been logged, with NVD and CISA disagreeing on severity in at least six cases. CVE-2025-1234, a use-after-free in Dawn’s shader compiler, was also rated low by NVD and medium by CISA. Similarly, a 2026 out-of-bounds read in Dawn’s texture handling (CVE-2026-0810) saw NVD assign 4.4 while CISA pushed it to 7.1 High because of potential privilege escalation.
The metadata mismatch issue with CPE strings is an older wound. NVD’s CPE schema has strict formatting rules, but vendors and third-party scanners often interpret colons and version ranges differently. When NVD published CVE-2026-14061, its CPE dictionary entry had an extra trailing colon—harmless to humans but a parsing error for automated tools. CISA’s Vulnrichment routinely corrects these, which is why scanners drawing from both sources suddenly show conflicting affect statuses for the same Chrome installation.
The Steps to Take Right Now
First, verify your Chrome version. Open chrome://settings/help or go to Chrome menu > Help > About Google Chrome. The version should be 150.0.7871.47 or newer. If the updater hasn’t fired yet, clicking "Relaunch" will complete the update. For managed devices, push Chrome 150.0.7871.47 through your software deployment tool—Microsoft Intune, Jamf, or your preferred RMM.
If your vulnerability management platform flags a CPE mismatch, do not ignore the finding. Manually confirm that the installed Chrome version is patched, then work with your scanner vendor to adjust the CPE logic. Most modern platforms—Rapid7 InsightVM, Qualys VMDR, Tenable.io—have already ingested CISA’s corrected CPE, so a feed refresh may clear the false mismatch.
For organizations that bind patch deadlines to CVSS score thresholds, now is a good moment to review whether you’ll follow NVD or CISA as your authoritative source. CISA’s Vulnrichment is free and updated within hours of a CVE publication; NVD remains the statutory source for U.S. federal agencies under the Binding Operational Directives. Many CISOs with whom I’ve spoken run both feeds in parallel and flag vulnerabilities where the scores differ by more than 2.0—as in this case—for a manual assessment.
Browser isolation and WebGPU usage restrictions offer temporary mitigation if you can’t patch immediately. Disabling WebGPU via the chrome://flags/#enable-unsafe-webgpu flag (set to Disabled) or blocking WebGPU through group policy (AllowWebGPU set to false) prevents the attack vector entirely, though it may break websites that rely on WebGPU for visualization. The short-term performance cost is minimal for most users, and it’s a valid circuit breaker in high-security environments.
No public proof-of-concept is circulating yet, and none of the major threat intelligence platforms have reported active exploitation. However, with CISA’s raised rating, expect exploit attempts to emerge within weeks—particularly on phishing pages that trick users into staying on a site long enough to probe GPU memory. Browser vendors don’t typically issue out-of-band fixes for medium-severity information leaks, so the standard update cadence should hold.
What Comes Next in the WebGPU Security Story
As WebAssembly and WebGPU converge to enable near-native desktop apps in the browser, the Dawn library will remain a prime target for vulnerability researchers. Google’s security team has already accelerated its fuzzing efforts within Dawn’s shader compiler and memory allocator, but each new WebGPU feature—like the upcoming multi-draw indirect commands—freshens the attack surface. The next six months will likely yield additional information-disclosure bugs, and each will test whether NVD and CISA can align their scoring or continue to diverge. For now, users should learn to see a CVE like 2026-14061 less as an isolated patch story and more as a reminder that the web platform’s lowest-level APIs demand the same scrutiny as any OS kernel driver.