A CDM (Content Decryption Module) is the DRM client implementation inside a browser or device - Widevine in Chrome, PlayReady in Edge, FairPlay in Safari - that handles the secret parts of protected playback: generating license requests, storing the key, and decrypting media inside a boundary the page's JavaScript cannot inspect.
On the web, application code reaches the CDM only through the EME API: it can ask the CDM for a license challenge and hand back the license, but never sees the key itself. The CDM's security level (software vs hardware-backed) determines what quality a device is allowed to play, which is why robustness rules tie premium resolutions to a hardware CDM.
