On the night of March 11, 2026, Google released an update that addressed a total of 29 vulnerabilities in its Chrome web browser, including one with the highest risk rating of “critical.” The vulnerability was reported by Tobias Wienand, a CASA doctoral student of PI Flavio Toffalini and a member of the Chair of Automated Security Analysis at the School of Computer Science.
His research focuses on browser security and fuzzing – the very software testing method he used to discover the critical security vulnerability:
“The fuzzing was successful because I focused specifically on the new web standard in the GPU process,” explains Tobias Wienand.
Serious security vulnerability in the Chrome browser's GPU processing
The vulnerability affected a WebNN component, also known as a WebML component. This is a web standard used in the Chrome browser to make predictions using neural networks. It is considered particularly critical because the relevant code runs in the browser’s GPU process – an area that is closely linked to the entire operating system. Potential attacks would therefore have particularly far-reaching consequences for the system.
Report successful: Update patches Google vulnerability
In accordance with the principle of “responsible disclosure,” the CASA researcher reported the discovered security vulnerability – along with another one rated “high” risk – directly to Google and received a reward in return. The technology company subsequently patched the vulnerability with an update.
The news coverage surrounding the report of the Google security vulnerability was picked up by business and technology magazines such as Forbes and Heise, among others.
Press contact
Annika Sengalski, annika.sengalski@rub.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.