CVE-2026-7346 Overview
CVE-2026-7346 affects Google Chrome versions prior to 147.0.7727.138. The vulnerability resides in Tint, the WebGPU Shading Language (WGSL) compiler used by Chrome's graphics stack. An inappropriate implementation allows a remote attacker to trigger out-of-bounds memory access through a crafted HTML page. Chromium engineers rated the security severity as High. The flaw maps to [CWE-119], improper restriction of operations within the bounds of a memory buffer. Exploitation requires user interaction such as visiting a malicious page. Successful exploitation can compromise the confidentiality and integrity of the renderer process.
Critical Impact
Remote attackers can trigger out-of-bounds memory access in the Chrome renderer by serving a crafted HTML page, potentially leading to information disclosure or further sandbox-bound exploitation.
Affected Products
- Google Chrome prior to 147.0.7727.138 on Windows
- Google Chrome prior to 147.0.7727.138 on macOS
- Google Chrome prior to 147.0.7727.138 on Linux
Discovery Timeline
- 2026-04-28 - CVE-2026-7346 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-7346
Vulnerability Analysis
The vulnerability exists in Tint, the shader language compiler that translates WGSL into backend shader code for Chrome's WebGPU implementation. An inappropriate implementation in Tint's handling of shader inputs permits memory accesses outside the bounds of an allocated buffer. A remote attacker who convinces a user to load a crafted HTML page can trigger the condition. The flaw is classified under [CWE-119] for improper restriction of operations within buffer boundaries. The attack vector is network-based and requires user interaction, but no authentication is needed.
Root Cause
The root cause is missing or incorrect bounds enforcement in a Tint compilation or validation path. When the compiler processes adversary-controlled WGSL input from a WebGPU-enabled page, it performs memory operations that exceed the intended buffer extents. The Chromium issue tracker entry 502206907 documents the underlying defect.
Attack Vector
Exploitation proceeds through standard web delivery. The attacker hosts a page that initializes a WebGPU device and submits malicious shader code or pipeline state. When Chrome compiles the shader through Tint, the out-of-bounds access executes inside the renderer or GPU process. Depending on adjacent memory contents, the attacker can read sensitive data or corrupt structures that influence subsequent execution. No verified public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-7346
Indicators of Compromise
- Chrome renderer or GPU process crashes with access violation signatures originating from tint modules.
- Outbound connections from Chrome to untrusted domains immediately preceding renderer crashes.
- Unexpected WebGPU device initialization on endpoints whose users do not normally use GPU-accelerated web applications.
Detection Strategies
- Inventory installed Chrome versions across managed endpoints and flag any build below 147.0.7727.138.
- Monitor browser telemetry for repeated crashes in the GPU process or in libtint symbols.
- Inspect proxy logs for HTML pages that load WebGPU shaders from low-reputation domains.
Monitoring Recommendations
- Enable centralized Chrome crash reporting and forward crash dumps to a SIEM for correlation.
- Track endpoint software inventory continuously to identify drift from the patched Chrome baseline.
- Alert on processes spawned by chrome.exe immediately after a renderer crash, which may indicate post-exploitation activity.
How to Mitigate CVE-2026-7346
Immediate Actions Required
- Update Google Chrome to version 147.0.7727.138 or later on all Windows, macOS, and Linux endpoints.
- Force a Chrome relaunch after the update so the patched binaries replace running renderer and GPU processes.
- Verify the deployed version through enterprise management tooling rather than relying on user self-reporting.
Patch Information
Google released the fix in the stable channel update announced on April 28, 2026. Administrators should consult the Google Chrome Update Announcement and the Chromium Issue Tracker Entry for additional context.
Workarounds
- Disable WebGPU through enterprise policy by setting the Enabled state of the WebGPU feature flag to off until patching completes.
- Restrict browsing to trusted sites using URL allowlists enforced via Chrome enterprise policy.
- Apply network egress filtering to block access to untrusted content delivery networks hosting attacker pages.
# Example Chrome enterprise policy snippet to disable WebGPU (Linux managed policy)
cat <<EOF > /etc/opt/chrome/policies/managed/disable_webgpu.json
{
"DefaultWebGpuSetting": 2,
"URLBlocklist": ["*"],
"URLAllowlist": ["https://corp.example.com"]
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
