A high-severity vulnerability has been identified in Google Chrome and other products utilizing the Dawn graphics engine. This flaw, a "Use-after-free" memory corruption bug, can be triggered when a user visits a specially crafted malicious website, potentially allowing an attacker to execute arbitrary code on the user's system, leading to a full system compromise.

The vulnerability is a use-after-free condition within Dawn, the WebGPU implementation used by Google Chrome. An attacker can exploit this by creating a malicious webpage that makes specific calls to the WebGPU API. When a user with a vulnerable browser visits this page, the browser may incorrectly access a portion of memory that has already been freed, leading to a crash or, more critically, the execution of arbitrary code with the privileges of the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have a significant business impact, including remote code execution on employee workstations. This could lead to the deployment of malware (such as ransomware or spyware), theft of sensitive corporate data, compromise of user credentials, and loss of control over the affected system. Given the widespread use of Google Chrome in corporate environments, this vulnerability presents a substantial risk to organizational security, potentially serving as an entry point for a wider network breach.

Immediate Action: Organizations must apply vendor security updates immediately. All instances of Google Chrome across the enterprise should be updated to version 140 or later to patch this vulnerability. IT administrators should verify update compliance and monitor for any signs of exploitation attempts by reviewing endpoint and network security logs.

Proactive Monitoring: Security teams should monitor for indicators of compromise, including unusual outbound network traffic from workstations, unexpected process execution originating from chrome.exe, and an increase in browser crash reports on endpoint monitoring systems. Endpoint Detection and Response (EDR) solutions should be configured to detect and alert on memory manipulation and suspicious child processes.

Compensating Controls: If immediate patching is not feasible, consider implementing compensating controls such as restricting web access to only trusted sites through web filtering proxies. Ensure that endpoint security solutions are fully updated with the latest signatures and behavioral detection rules. User awareness campaigns can also temporarily reduce risk by advising employees to be cautious about visiting untrusted websites.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for remote code execution, this vulnerability requires immediate attention. The widespread deployment of Google Chrome creates a large attack surface within the organization. We strongly recommend prioritizing the deployment of Google Chrome version 140 or newer to all corporate endpoints without delay. Although not yet listed in the CISA KEV catalog, its high severity and the history of similar browser vulnerabilities being exploited in the wild mean it should be treated with the highest urgency.