Skip to main content

Google Chrome CVE-2026-13028

| EUVDEUVD-2026-39032 CRITICAL
Use After Free (CWE-416)
2026-06-24 Chrome GHSA-cc6x-3gf8-2x53
9.6
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Remote crafted page needs only a page visit (UI:R, PR:N, AC:L); the sandbox escape crosses a security boundary (S:C) yielding total compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:30 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
9.6 (CRITICAL)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
CRITICAL 9.6

DescriptionCVE.org

Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Sandbox escape in Google Chrome for Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics component, letting a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox. Rated Critical by Chromium and carrying a CVSS 9.6 with scope change, the flaw threatens full compromise of the browser process boundary on affected Android devices. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure user to crafted HTML page
Delivery
Page invokes malicious WebGL JavaScript
Exploit
Trigger use-after-free in WebGL
Execution
Groom reclaimed memory and corrupt object
Persist
Escape renderer sandbox
Impact
Gain control beyond browser boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to load attacker-controlled content that exercises the WebGL code path - i.e., open a crafted HTML page in Chrome for Android prior to 149.0.7827.197 - which the CVSS UI:R reflects as the required user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed, which is important for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page containing crafted WebGL JavaScript and entices an Android user to open it (via phishing link, malvertising, or a compromised site); when the page loads, the WebGL code triggers the use-after-free, corrupts memory, and chains to a sandbox escape giving the attacker control beyond the renderer. No public exploit is identified at time of analysis, but the low attack complexity and required-but-trivial user interaction make a weaponized drive-by plausible if an exploit is developed.
Remediation Vendor-released patch: upgrade Google Chrome on Android to 149.0.7827.197 or later, which is the fixed Stable channel build per the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html; on Android this is delivered via the Google Play Store, so ensure automatic Play updates are enabled and force-update managed fleets through MDM. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Android devices with Chrome across your environment (corporate-managed, BYOD, kiosk deployments). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13028 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy