Google Chrome WebGL Universal Cross-Site Scripting Vulnerability
Inappropriate implementation in WebGL in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Quick answer
Google Chrome should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Google Chrome before 150.0.7871.115
Fixed versions
- 150.0.7871.115
How to fix it
Google Chrome before 150.0.7871.115 is affected by WebGL universal cross-site scripting. Update Chrome or Chromium-based browsers immediately and make sure users restart the browser so the fixed build is active.
- Update Google Chrome to 150.0.7871.115 or later, or the fixed platform build provided by the vendor.
- Force browser restart across managed endpoints so the updated binary is actually running.
- Apply the matching update to Chromium-based browsers that inherit the affected component.
- Prioritize systems used for email, admin consoles, SaaS dashboards, and other high-value browser workflows.
- Use enterprise browser management to block outdated versions and verify update compliance.
- Warn users not to open untrusted links or attachments until Chrome updates are confirmed.
- Review endpoint telemetry for renderer crashes, suspicious crafted HTML activity, or exploit indicators involving WebGL.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm chrome://version or enterprise inventory reports Chrome 150.0.7871.115 or later.
- Verify managed update policy shows no endpoints stuck on the vulnerable version.
- Confirm users restarted Chrome after the update.
- Review security telemetry for WebGL crashes or suspicious browser exploit attempts.
- Run a Fixnx scan and confirm public web assets do not encourage users to run outdated browsers.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15127?
Google Chrome versions listed as affected should be reviewed: Google Chrome before 150.0.7871.115.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
