# CVE-2026-4676

> Use-after-free vulnerability in Dawn, Google's open-source cross-platform implementation of the WebGPU standard, in Google Chrome prior to 146.0.7680.165. The flaw allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Dawn translates WebGPU API calls into platform-specific GPU instructions (Vulkan on Linux, Metal on macOS, Direct3D 12 on Windows) and relies on raw pointers to reference-counted objects, creating conditions where stale pointers can persist after object deallocation. This vulnerability is part of a cluster of GPU-layer bugs discovered by the s

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 0.1%
- **CWE:** CWE-416

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-4676
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp