Introduction
A use after free vulnerability in Chrome's Dawn WebGPU engine opens a path from a compromised renderer process to a full sandbox escape, affecting roughly two thirds of the world's desktop browser installations. CVE-2026-6310, disclosed and patched on April 15, 2026, carries a CVSS score of 8.3 and represents the latest in a series of memory safety issues within Chromium's GPU resource management layer that have demanded attention throughout 2026.
Technical Information
Dawn and the WebGPU Architecture
Dawn is an open source, cross platform implementation of the WebGPU standard. It serves as the underlying WebGPU engine within Chromium, providing a client server architecture specifically designed for applications restricted by a sandbox that lack direct access to native GPU drivers. Dawn manages low level graphics resources including memory allocations tied to WebGPU command execution. Because it handles stateful, timing sensitive GPU resource lifecycles, Dawn is particularly susceptible to object lifetime bugs where memory is referenced after being freed.
Chromium's Multi Process Sandbox Model
Chromium uses a multi process architecture where the renderer process operates inside a restrictive sandbox. The renderer cannot make persistent changes to the system or directly call system 3D APIs. Instead, graphics rendering is handled by a dedicated GPU process that runs in a less restrictive sandbox.
The renderer acts as a client, serializing graphics commands and placing them into a command buffer located in shared memory. The GPU process acts as the server, reading these serialized commands from shared memory and executing the appropriate platform graphics calls. This separation is a core security boundary in Chrome's architecture.
Root Cause
The vulnerability is classified as CWE-416 (Use After Free). The flaw exists in Dawn's management of GPU related resources, where a memory object is freed but a reference (a dangling pointer) to that object remains accessible. When the dangling reference is subsequently used, it accesses memory that may have been reallocated for a different purpose, leading to memory corruption.
Attack Flow
The exploitation of CVE-2026-6310 follows a chained attack pattern:
-
Renderer Compromise: The attacker first gains code execution within the Chrome renderer process. This is a prerequisite; the vulnerability itself does not provide initial access. A separate exploit targeting the renderer (for example, a V8 JavaScript engine bug) would typically be used.
-
Triggering the Use After Free: From the compromised renderer, the attacker crafts specific WebGPU commands embedded in a malicious HTML page. These commands exercise the vulnerable Dawn code path, causing GPU related resources to be freed while references to them are still held.
-
Memory Corruption and Sandbox Escape: By controlling the contents of the freed memory (through heap spraying or similar techniques), the attacker can manipulate the dangling pointer dereference to hijack execution flow within the GPU process. Because the GPU process operates with elevated privileges relative to the renderer sandbox, successful exploitation achieves a sandbox escape, granting the attacker broader access to the underlying system.
This escalation path, from renderer to GPU process to system level access, is what elevates the severity of this vulnerability. The sandbox is Chrome's primary defense against web based attacks reaching the host operating system, and bypassing it fundamentally undermines that protection.
Patch Information
Google addressed CVE-2026-6310 through a Stable Channel update for Chrome Desktop, released on April 15, 2026. The fix is shipped in the following versions:
| Platform | Fixed Version |
|---|---|
| Linux | 147.0.7727.101 |
| Windows | 147.0.7727.101/.102 |
| macOS | 147.0.7727.101/.102 |
The patch corrects the improper memory management in Dawn so that freed GPU related resources are no longer accessible after deallocation, eliminating the dangling reference that enabled the escape. The specific engineering details of the fix are tracked in Chromium Issue 497969820, but as is standard practice for high severity Chromium security bugs, access to the bug report is currently restricted. Google typically keeps these reports locked down until a large majority of users have been updated to the patched version, preventing additional threat actors from leveraging the technical details to develop exploits.
This CVE follows a pattern of Dawn/WebGPU use after free vulnerabilities addressed in 2026, including CVE-2026-5281, CVE-2026-5284, and CVE-2026-5286 in earlier Chrome 146 updates. Each successive patch in this area tightens the object ownership model and deallocation sequences to prevent dangling pointers from becoming exploitable.
To verify the installed version, navigate to chrome://settings/help. Chromium based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi share the upstream Dawn code and will need to ship their own corresponding updates as they integrate the fix from the Chromium project.
Temporary Workaround
If immediate patching is not feasible, administrators can temporarily disable WebGPU by turning off the setting labeled "Use graphics acceleration when available" at chrome://settings/system. This will impact graphics performance but effectively removes the Dawn specific attack vector until the update can be applied.
For enterprise environments, Chrome Enterprise Core provides centralized cloud based tools for configuring update policies across devices. Windows administrators can also use Google Update mechanisms to manage deployment schedules and ensure compliance.
Affected Systems and Versions
All versions of Google Chrome prior to 147.0.7727.101 are affected. This includes all desktop platforms: Windows, macOS, and Linux.
Because Dawn is the shared WebGPU implementation across the Chromium project, other Chromium based browsers (Microsoft Edge, Brave, Opera, Vivaldi, and others) that incorporate the vulnerable Dawn code are also potentially affected until they integrate the upstream fix.
| Attribute | Detail |
|---|---|
| Affected Software | Google Chrome (Desktop) |
| Affected Versions | All versions prior to 147.0.7727.101 |
| Fixed Version (Linux) | 147.0.7727.101 |
| Fixed Version (Windows/macOS) | 147.0.7727.101/.102 |
| Vulnerable Component | Dawn (WebGPU implementation) |
| Also Potentially Affected | Chromium based browsers (Edge, Brave, Opera, Vivaldi) |
Vendor Security History
Google has addressed multiple use after free vulnerabilities in the Dawn/WebGPU subsystem throughout 2026. Prior CVEs in this area include CVE-2026-5281, CVE-2026-5284, and CVE-2026-5286, all patched in earlier Chrome 146 updates. The recurrence of memory safety issues in this component indicates that the Chrome security team has been actively auditing and hardening Dawn's resource lifetime management.
Some of these related vulnerabilities were confirmed as actively exploited in the wild. CVE-2026-5281 and CVE-2026-3910 both had Google explicitly confirming active exploitation, underscoring that Chrome's GPU and rendering subsystems are active targets for sophisticated threat actors.
Google's broader security posture for Chrome remains strong, with the multi process sandbox architecture serving as a critical defense layer. However, the boundary between the renderer and the GPU process continues to be a complex and actively targeted security frontier.
References
- NVD: CVE-2026-6310
- CVE Record: CVE-2026-6310
- Chrome Releases: Stable Channel Update for Desktop (April 15, 2026)
- Chromium Issue 497969820
- Dawn, a WebGPU Implementation (Google Source)
- Dawn, a WebGPU Implementation (GitHub)
- GPU Accelerated Compositing in Chrome
- Chromium Sandbox Design Documentation
- WebGPU Troubleshooting Tips
- Chrome Enterprise Core
- Manage Chrome Updates (Windows)
- Browser Market Share Worldwide (StatCounter)
- CISA: Known Exploited Vulnerabilities Catalog Update (April 13, 2026)
- CISA: Known Exploited Vulnerabilities Catalog Update (April 14, 2026)
