HIGH 7.4

CVE-2026-10968: Chrome Cross-Origin Data Leak in Dawn Graphics Engine (CVSS 7.4)

A vulnerability in Chrome's graphics rendering engine (Dawn) on Windows allows attackers to steal sensitive data from websites you're visiting. If an attacker first compromises Chrome's renderer process—the part that runs web content—they can craft a malicious webpage to leak information across website boundaries, bypassing Chrome's security isolation. This requires the attacker to have already gained control of the renderer, making it part of a multi-stage attack but with serious data-theft consequences once achieved.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

Insufficient validation of untrusted input in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10968 involves insufficient input validation in Dawn, Google Chrome's low-level graphics abstraction layer, when running on Windows. The vulnerability allows a compromised renderer process to break cross-origin isolation boundaries and exfiltrate data via a specially crafted HTML page. Dawn's responsibility is translating graphics calls to underlying APIs; weak validation of untrusted input permits an attacker with renderer-level code execution to manipulate graphics operations in ways that leak memory contents across site boundaries. The flaw is classified as CWE-20 (Improper Input Validation), indicating the root cause is insufficient sanitization before processing graphics commands.

Business impact

Data theft from users' browsing sessions represents a material confidentiality risk. If an attacker chains this vulnerability with a separate renderer compromise (such as a browser exploit or malicious extension), they gain the ability to steal authentication tokens, personal information, payment details, or proprietary data visible in the user's tabs. For organizations, this means users accessing sensitive SaaS applications, internal web tools, or cloud services are at risk of session hijacking or credential exfiltration if they are targeted with both a renderer exploit and this cross-origin leak technique.

Affected systems

Google Chrome on Microsoft Windows prior to version 149.0.7827.53 is affected. This includes all 32-bit and 64-bit installations on Windows 7 and later. The vulnerability does not affect Chrome on macOS, Linux, or Android. Users running older Chrome versions and those who have not updated to 149.0.7827.53 or later remain vulnerable.

Exploitability

Exploitation requires two preconditions: (1) the attacker must already have compromised the Chrome renderer process, typically via a separate browser vulnerability or social engineering that installs malicious code, and (2) the user must then visit a page containing the attacker's crafted HTML. The attack vector is network-based and requires user interaction (visiting a webpage), but the barrier to exploitation is medium because the renderer compromise is the harder prerequisite. This is not a remote code execution vector on its own—it is a data-exfiltration technique that amplifies the damage of existing renderer exploits.

Remediation

Update Google Chrome to version 149.0.7827.53 or later immediately. Chrome will auto-update on most systems within hours, but users can manually force the update by going to Chrome menu > About Google Chrome, which will check for and install any pending updates. After updating, verify the version number under About to confirm the patch is in place. Organizations should enforce Chrome updates via Group Policy (Windows domain environments) or Mobile Device Management (MDM) for managed endpoints.

Patch guidance

Google Chrome will deliver the patch automatically to most users; no manual download is required. Verify the installed version via Settings > About Google Chrome; the page will auto-refresh and show the new version once installation is complete. For enterprise deployments, administrators should confirm version 149.0.7827.53 or later via Active Directory or MDM console. If you manage Chromebook fleets, standard auto-update policies will apply. No rollback is necessary or recommended; the patch introduces no known incompatibilities.

Detection guidance

Monitor for abnormal renderer process activity, including graphics-related system calls or memory access patterns, via endpoint detection and response (EDR) tools. Check for unauthorized use of graphics APIs (D3D, Vulkan) or unusual cross-origin data requests in network traffic. Browser version audits should confirm all Windows systems running Chrome are at version 149.0.7827.53 or later. Look for web traffic to known malicious or attacker-controlled domains from user systems, as attackers would host the crafted HTML payload. Correlate this vulnerability detection with alerts for other Chrome renderer exploits in your environment to identify coordinated attacks.

Why prioritize this

Although this vulnerability alone cannot be exploited without prior renderer compromise, it significantly amplifies the impact of other browser exploits. Any renderer vulnerability—whether zero-day or patched but uninstalled—becomes a data-theft weapon when combined with this flaw. The CVSS score of 7.4 (HIGH) reflects the confidentiality impact. Organizations should treat this as a medium-to-high priority in a defense-in-depth context: patch immediately to close the exfiltration vector, and simultaneously harden defenses against the renderer exploits that would precede it.

Risk score, explained

The CVSS v3.1 score of 7.4 (HIGH) is driven by high confidentiality impact (C:H) and the low attack complexity (AC:L) of delivering the malicious HTML once renderer access is achieved. No integrity (I:N) or availability (A:N) impact is scored because the flaw only leaks data, not modify it or crash the browser. The network attack vector (AV:N) and requirement for user interaction (UI:R) reflect the realistic delivery mechanism. The scope change (S:C) acknowledges that a compromised renderer can breach the confidentiality guarantees of other web origins. The score does not credit the renderer compromise requirement because CVSS assumes the attack step immediately preceding the vulnerability; however, this context is critical for prioritization.

Frequently asked questions

Do I need to worry about this if I don't use Chrome?

No. This vulnerability is specific to Google Chrome on Windows. If you use Firefox, Safari, Edge, or other browsers, you are not directly affected. However, if you use Chromium-based browsers other than Chrome (such as Edge), check with your vendor for equivalent patches.

Will Chrome update automatically, or do I need to do anything?

Chrome updates automatically in most cases. However, the update only installs when you restart the browser. To speed up patching, close Chrome completely and reopen it, or go to Settings > About Google Chrome to manually trigger the check. Users should verify they are on version 149.0.7827.53 or later.

What does 'compromised renderer process' mean, and how would that happen?

The renderer process is the part of Chrome that loads and displays websites. An attacker could compromise it by exploiting a separate vulnerability in Chrome (such as a memory safety bug), tricking a user into installing a malicious extension, or using social engineering. Once renderer code runs under attacker control, this vulnerability allows that attacker to leak data across websites the user is browsing.

Should organizations disable Chrome or force employees to use a different browser?

No. Disabling Chrome is unnecessary and disruptive. Instead, ensure all Windows systems running Chrome are updated to version 149.0.7827.53 or later via automatic updates or managed deployment. Combine this with endpoint security (EDR) monitoring and user training to defend against the renderer exploits that would precede this vulnerability.

This analysis is based on publicly available information current as of the published date. CVSS scores, affected versions, and patch availability reflect the official vulnerability record. Organizations should verify patch deployment against their Chrome version inventory and confirm auto-update policies are enabled. This vulnerability requires prior renderer compromise and is not exploitable in isolation; however, it should be treated as a critical data-exfiltration amplifier in multi-stage attack chains. No proof-of-concept code or weaponized exploits are provided. Always test patches in a non-production environment before enterprise-wide deployment. Consult Google's official security advisory and your vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).