CVE-2026-4675
Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. The vulnerability resides in Chrome's WebGL graphics rendering component and was reported by the same pseudonymous researcher (_86ac1f1587b71893ed2ad792cd7dde32_) who discovered CVE-2026-5281 (Dawn WebGPU use-after-free zero-day under active exploitation) and CVE-2026-4676 (Dawn use-after-free with sandbox escape potential). This cluster of GPU-layer vulnerabilities suggests systematic fuzzing or targeted research into Chrome's graphics subsystem. The flaw was patched on March 23, 2026 as part of a Chrome Stable Channel update. All Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi were affected until they incorporated the upstream fix.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122, CWE-787
Threats tracking this CVE
- Google Chrome Dawn WebGPU Use-After-Free Zero-Day Under Active Exploitation (CVE-2026-5281) — HIGH
- Google Chrome Dawn WebGPU Use-After-Free Zero-Day Under Active Exploitation (CVE-2026-5281) — CRITICAL
References
- https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html
- https://issues.chromium.org/issues/488270257
- https://nvd.nist.gov/vuln/detail/CVE-2026-4675
- https://www.bleepingcomputer.com/news/security/google-fixes-fourth-chrome-zero-day-exploited-in-attacks-in-2026/
- https://thehackernews.com/2026/04/new-chrome-zero-day-cve-2026-5281-under.html