Chrome 150 WebNN Heap Overflow CVE-2026-14087: Low Severity, High Risk

Google fixed CVE-2026-14087 in Chrome 150.0.7871.47 for Windows on June 30, 2026, after documenting a WebNN heap buffer overflow that could be reached through a crafted HTML page once an attacker had already compromised the renderer process. The bug is formally rated Low by Chromium, but CISA’s enrichment assigns it a High CVSS 3.1 score, and that mismatch is the story. This is not a panic-button Chrome zero-day; it is a reminder that AI-adjacent browser plumbing is becoming part of the attack surface before most administrators have even decided whether they use it.

Infographic shows a WebNN pipeline with browser core, security alerts, and block-based data flow.A Low-Severity Bug That Reads Like a Warning Label​

The National Vulnerability Database entry for CVE-2026-14087 is blunt: the flaw is a heap buffer overflow in WebNN in Google Chrome on Windows before version 150.0.7871.47. A remote attacker who had already compromised the renderer process could potentially exploit heap corruption through a crafted HTML page. In Chromium’s own security language, the vulnerability carries Low severity.
That “Low” rating is doing a lot of work. Chromium’s scoring is typically contextual: if a bug requires a previous renderer compromise, it may not stand alone as a browser takeover. In isolation, CVE-2026-14087 appears to be a second-stage or chainable weakness rather than the first click that gets an attacker inside.
CISA’s ADP enrichment, however, places a different lens over the same facts. Its CVSS 3.1 vector marks the issue as network reachable, low complexity, no privileges required, requiring user interaction, and with high impact to confidentiality, integrity, and availability. In plain English, CISA is treating the potential consequences of successful exploitation as severe, even if the route to those consequences depends on a precondition.
That divergence is not bureaucratic noise. It reflects a tension every security team knows too well: product vendors often rate bugs by exploitability inside their architecture, while vulnerability managers are paid to care about what happens when the architecture’s assumptions fail.

Chrome 150 Was Not a Routine Point Release​

Google’s Chrome Releases blog says Chrome 150 was promoted to the stable channel on June 30, 2026, for Windows, macOS, and Linux, with desktop builds listed as 150.0.7871.46 for Linux and 150.0.7871.46/.47 for Windows and Mac. The same post says the update includes 433 security fixes, a number large enough to make any single CVE look small until it lands in a component you did not realize mattered.
CVE-2026-14087 appears in Google’s list as a Low-severity “Insufficient validation of untrusted input in WebNN,” reported by Google on May 14, 2026. Nearby in the same update are other WebNN issues, including an integer overflow and an uninitialized use. That clustering matters more than the individual adjective attached to one bug.
The WebNN entries sit among hundreds of fixes across GPU, ANGLE, Dawn, V8, Skia, Blink, extensions, UI surfaces, and device-facing APIs. Chrome is no longer “a browser” in the old sense of a document viewer with a JavaScript engine bolted on. It is an application runtime, hardware abstraction layer, media platform, identity broker, graphics stack, and increasingly an AI execution surface.
That is why this particular CVE deserves more attention than its Low rating suggests. WebNN is not an everyday feature for most users in the way tabs, bookmarks, or password autofill are. But the browser security model has repeatedly shown that obscure interfaces become important once attackers discover they sit near privileged code, memory-unsafe implementation details, or hardware-accelerated pathways.

WebNN Brings AI Inference Into the Browser’s Threat Model​

WebNN, short for Web Neural Network API, is intended to let web applications run neural-network inference efficiently by using underlying operating-system and hardware acceleration. It is part of a broader movement to make machine-learning workloads available to web apps without forcing developers to ship native applications. That is attractive for performance, privacy, and cross-platform deployment.
It is also exactly the sort of capability that expands the browser’s blast radius. A web page invoking a neural-network API is no longer merely parsing markup and running script. It may be passing shaped tensors, model graphs, compiled operations, and device-backed workloads through layers that eventually touch GPU drivers, ML runtimes, or platform-specific acceleration APIs.
The vulnerability description points to “insufficient validation of untrusted input,” which is the oldest browser-security lesson wearing a new AI-era jacket. If the browser accepts structured input from the web and feeds it into a complex subsystem, every boundary check matters. A heap buffer overflow is what happens when that contract breaks at memory level.
The important qualifier is that the attacker first needs a compromised renderer process. Chrome’s multi-process sandbox is designed precisely to contain hostile web content inside a renderer with limited privileges. A flaw that only becomes useful after the renderer is compromised is not the first domino, but it may be the second or third one.
That is why security engineers care about bugs like this. Modern browser exploitation is rarely a single vulnerability in splendid isolation. It is a chain: memory corruption to gain code execution in a renderer, a sandbox escape or broker abuse to break containment, then persistence or credential theft. A “Low” bug in the wrong component can become a useful link in a chain if it helps convert one foothold into a stronger one.

The Windows-Only Scope Is a Clue, Not a Comfort​

The NVD description specifically identifies Google Chrome on Windows prior to 150.0.7871.47. NIST’s initial analysis also associates the CPE configuration with Google Chrome versions before that build and Microsoft Windows. That platform specificity should sharpen the attention of Windows administrators rather than calm it.
A Windows-only Chrome vulnerability often means the vulnerable path depends on a platform backend, build configuration, driver interaction, API surface, or operating-system integration that does not exist in the same way on Linux or macOS. In the case of WebNN, that is not hard to imagine. Neural-network acceleration is inherently platform-dependent because browsers must map web-facing abstractions onto hardware and OS-level ML stacks.
For enterprise IT, the practical question is not whether every employee is intentionally using WebNN. Most users do not know which browser APIs a page invokes, and most administrators cannot inspect that behavior at scale without specialized tooling. The web’s permission model is not always a simple prompt-and-consent interaction, especially for compute APIs that may not look like camera, microphone, or location access.
The Windows-only label also matters because Chrome is deeply embedded in enterprise workflows on Windows fleets. Even organizations standardized on Microsoft Edge frequently carry Chrome for compatibility, testing, vendor apps, developer tooling, or user preference. Chromium vulnerabilities therefore do not stay neatly inside one browser brand.
Microsoft Edge, Brave, Vivaldi, Opera, and other Chromium-based browsers often need to absorb upstream Chromium fixes, though timing and version alignment vary by vendor. Administrators should not read “Google Chrome” as meaning “not our problem” if their endpoint estate is full of Chromium derivatives. The component name may be upstream, but the exposure follows the code.

The Severity Split Shows Why CVSS Still Starts Arguments​

The CVE record gives us a familiar and uncomfortable split. Chromium calls CVE-2026-14087 Low. CISA-ADP gives it an 8.8 High score under CVSS 3.1, with a vector that implies serious impact if exploitation succeeds. NVD, as of the provided record, had not yet supplied its own CVSS 4.0 or 3.x base score.
This is not simply a disagreement over math. CVSS has long struggled with vulnerabilities that require chaining. If a bug has devastating postcondition impact but is only reachable after a separate compromise, should the score emphasize the prerequisite or the outcome? Different scoring systems and analysts answer that differently.
Google’s internal severity likely reflects the browser sandbox context. If an attacker must already compromise the renderer, then the WebNN bug is not a turnkey remote-code-execution vulnerability from a clean starting point. That is a meaningful distinction for exploitability, triage, and bounty classification.
CISA’s enrichment appears to center the worst credible technical impact once the vulnerability is reachable. Its SSVC fields reportedly list exploitation as “none,” automatable as “no,” and technical impact as “total.” That combination says: there is no known exploitation, and it is not straightforward to automate, but the consequences could be serious in a successful chain.
Both readings can be true. The mistake is to collapse them into a single emotional category. “Low” should not mean “ignore,” and “High” should not mean “drop everything before understanding the preconditions.” For administrators, the right interpretation is simpler: patch promptly, prioritize validation on Windows systems, and do not treat this as evidence of active exploitation unless further advisories say so.

The Renderer Precondition Is the Technical Heart of the Case​

The phrase “who had compromised the renderer process” is the hinge of CVE-2026-14087. In Chrome, renderers are the processes that handle web content. They are deliberately exposed to hostile input, which is why they are sandboxed and isolated from more sensitive browser and operating-system resources.
A renderer compromise means an attacker has already achieved code execution or meaningful control inside that constrained environment. That can happen through another vulnerability in JavaScript, WebAssembly, Blink, V8, graphics parsing, media handling, or another web-facing surface. The browser’s next job is to make that compromise less useful by containing it.
A bug in WebNN after renderer compromise could matter if it lets the attacker corrupt memory in a way that reaches beyond the renderer’s expected limits, manipulates objects with a different trust boundary, or prepares a stronger exploit primitive. The public description does not prove any of those outcomes, and Google’s issue tracker details are restricted, as is common until a majority of users are updated. But the wording is enough to explain why the flaw is not just a malformed-page crash.
The crafted HTML page detail also matters. This is not a local-only misconfiguration or a lab-only fuzzing artifact. The delivery mechanism is the web itself, even if the vulnerable action requires a previously compromised renderer. That keeps the bug in the browser-exploitation universe rather than relegating it to an academic corner case.
This is the uncomfortable middle ground of modern vulnerability management. Many real exploits begin as improbable combinations of individually constrained bugs. Defenders rarely get to wait until every chain is publicly demonstrated before patching; by then, the attacker has already done the integration work.

AI Features Are Becoming Ordinary Attack Surface​

For the last two years, browser vendors have talked about AI mostly in product terms: summarization, writing assistance, local inference, smarter search, tab organization, translation, accessibility, and developer tooling. Security teams hear a different phrase underneath all of that: more parsers, more accelerators, more state machines, more native bindings.
WebNN is part of that shift, even if it is not the same thing as a consumer-facing chatbot button. It is infrastructure for local or accelerated inference in web applications. The better it works, the more developers will want to use it, and the more websites will assume it exists.
That creates a security paradox. Running inference locally can be better for privacy because data need not leave the device. It can be better for latency and cost because a page can use client hardware instead of server GPUs. But local execution also means the web page gets closer to complex native code paths that were never originally designed with arbitrary websites as their primary caller.
Chrome has been here before with graphics. WebGL, WebGPU, ANGLE, Dawn, and GPU process hardening all reflect the same bargain: give web apps fast access to hardware-like capabilities, then spend years sanding down the sharp edges. WebNN looks likely to follow that pattern.
The Chrome 150 security list reinforces the point. The update contains many serious vulnerabilities in graphics, GPU-adjacent, and rendering components. WebNN is not an isolated novelty; it is arriving into a browser architecture already thick with performance-driven subsystems that must accept hostile input without flinching.

The Enterprise Problem Is Visibility, Not Just Patching​

The easy advice is to update Chrome. The harder problem is knowing whether your environment has actually done so, especially across mixed Windows fleets, nonpersistent VDI images, kiosk devices, developer workstations, and systems where users lack restart discipline. Chrome can download updates quietly, but the fixed code is not fully in force until the browser restarts.
For managed Windows environments, the version target is clear: Chrome on Windows must be at least 150.0.7871.47 to contain the fix described in the CVE record. Inventory systems should confirm the running version, not merely the installed package version. Help desks have learned the hard way that a browser left open for weeks can be a security exception hiding in plain sight.
The next layer is policy. If an organization controls Chrome through enterprise templates, it should verify update policies, relaunch notification settings, and any deferral windows that might keep version 150 from landing quickly. The point is not to invent emergency theater for a Low-rated issue. It is to avoid discovering that “automatic updates” means “eventually, when the user closes 47 tabs.”
Security teams should also check whether Chromium-based alternatives are present. Edge has its own update channel and Microsoft servicing path, while third-party Chromium browsers may lag upstream Chrome by hours, days, or longer. A vulnerability in Chromium code is an ecosystem event, even when the first advisory wears a Google badge.
The WebNN angle adds a future policy question: should enterprises be able to disable or restrict emerging compute APIs until they have a clear business need? Browser policy has traditionally focused on extensions, password managers, Safe Browsing, update channels, and permissions. AI-era web APIs may push administrators toward a more granular model of allowed capabilities.

NVD’s CPE Note Is More Than Database Housekeeping​

The user-facing NVD page includes the familiar “Are we missing a CPE here?” prompt, and in this case the configuration identified by NIST ties the vulnerable application to Google Chrome versions before 150.0.7871.47 and Microsoft Windows. That may look like a database footnote, but CPE accuracy is how vulnerability scanners decide whether to wake somebody up at 2 a.m.
A missing or overly narrow CPE can produce false negatives. An overly broad one can flood dashboards with irrelevant findings. In this case, the Windows condition is central, because the public description explicitly scopes the flaw to Chrome on Windows. If a scanner cannot represent that dependency cleanly, administrators may either miss vulnerable Windows Chrome systems or waste time chasing Linux findings that do not match the described exposure.
This is also where NVD timing matters. The record shows the CVE was received from Chrome on June 30, modified by CISA-ADP on July 1, and subjected to NIST initial analysis on July 2. That sequence is normal, but it means the vulnerability-management picture can change over the first days after publication.
For IT shops that ingest CVE feeds automatically, the first version of the truth is often not the last. CWE mappings changed in the record, with CISA-ADP initially adding CWE-122 and later removing it, while NIST added CWE-787. Chrome’s source entry used CWE-20 for improper input validation. That is not a scandal; it is the taxonomy catching up with a bug that can be described at multiple abstraction layers.
The operational lesson is to avoid overfitting automation to the first metadata snapshot. If your dashboard opened the ticket as improper input validation, then later recast it as out-of-bounds write, the underlying remediation did not change. The browser still needs the fixed build.

Security Teams Should Resist Both Complacency and Hype​

There is no public indication in the supplied record that CVE-2026-14087 is being exploited in the wild. CISA’s SSVC entry reportedly lists exploitation as “none,” and the Chromium bug details remain restricted. That should keep this out of the breathless “active Chrome zero-day” category.
At the same time, the bug has several attributes that justify disciplined urgency. It affects Chrome on Windows, lives in a new and complex browser subsystem, involves memory corruption, and can be delivered through crafted web content in a post-renderer-compromise scenario. Those are not the ingredients of a vulnerability you leave to the next quarterly maintenance window.
The most sensible response is boring, which is often what good security looks like. Confirm Chrome version 150.0.7871.47 or later on Windows systems. Restart browsers. Watch for downstream updates from Chromium-based vendors. Keep an eye on whether Google later broadens details after most users are updated.
For home users, this is even simpler. Open Chrome’s About page, let it update, and relaunch. If the browser says it is current on version 150.0.7871.47 or later on Windows, the specific Chrome exposure described here is addressed.
For enterprise users, the better question is whether your browser-update process can close this class of issue quickly without a special campaign. Chrome ships too many security fixes too often for every one to become a bespoke incident. The process must be reliable enough that a 433-fix release does not depend on heroic manual follow-up.

The Small WebNN Bug Points to the Bigger Browser War​

CVE-2026-14087 is easy to underrate because it does not arrive with a dramatic exploit headline. It is a Low-rated WebNN bug in a huge Chrome security rollup, restricted to Windows, and apparently not exploited in the wild. On a crowded patch calendar, that can sound like background noise.
But the browser’s center of gravity is moving. The web platform is absorbing capabilities once reserved for native applications: GPU compute, USB access, file-system handles, local AI inference, richer identity plumbing, and deeper OS integration. Each gain in capability creates a corresponding need for validation, sandboxing, broker hardening, and administrative control.
That does not mean WebNN is a mistake. The web needs performance primitives if it is going to remain competitive with native apps, and local inference could be a privacy win compared with shipping every prompt or model input to a cloud service. The point is that these APIs must be treated as security-sensitive infrastructure from the beginning, not as developer conveniences that receive hardening only after researchers find the first heap corruption bugs.
The Chrome 150 release makes that argument in numbers. Four hundred thirty-three security fixes in one stable-channel update is not a sign that browser security is failing; it is a sign that the browser is enormous, relentlessly fuzzed, and constantly changing. The more ambitious the platform becomes, the more its security posture depends on rapid patch delivery and conservative assumptions about untrusted input.

The Patch Is Straightforward; the Lesson Is Not​

This is the part administrators can act on without drama:
  • Windows systems running Google Chrome should be updated to 150.0.7871.47 or later to address CVE-2026-14087.
  • The vulnerability is not described as actively exploited, but its memory-corruption nature and renderer-compromise precondition make it relevant to exploit-chain thinking.
  • Chromium’s Low severity and CISA-ADP’s High CVSS score are not mutually exclusive; they emphasize different parts of the risk model.
  • Managed environments should verify running browser versions after relaunch, not merely assume automatic updates have completed.
  • Organizations using Chromium-based browsers beyond Google Chrome should track vendor-specific updates rather than assuming upstream fixes have already landed.
  • WebNN and similar AI-era browser APIs deserve the same administrative scrutiny that enterprises already apply to extensions, GPU features, and hardware-facing web capabilities.
The fix for CVE-2026-14087 is a browser update; the harder work is recognizing what kind of browser we are now updating. Chrome on Windows is no longer just a window onto the web, and WebNN is not just another acronym in a release note. It is part of a broader shift toward browsers as local compute platforms, where AI workloads, hardware acceleration, and hostile web input meet inside the same security boundary. If vendors keep expanding that boundary, administrators will need better visibility and stronger controls, because the next “Low” bug may be one link closer to the chain that matters.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-03T07:00:14-07:00
  2. Security advisory: MSRC
    Published: 2026-07-03T07:00:14-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
 

Back
Top