Skip to main content

Google Chrome CVE-2026-13032

| EUVDEUVD-2026-39033 CRITICAL
Use After Free (CWE-416)
2026-06-24 Chrome GHSA-37jm-qcw2-gcqg
9.6
CVSS 3.1 · Vendor: Chrome
Share

Severity by source

Vendor (Chrome) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Remote crafted page with no auth but required user navigation (UI:R); WebGL UAF crosses the sandbox boundary (S:C) enabling high impact, consistent with vendor Critical rating.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
9.6 CRITICAL
qualitative

Primary rating from Vendor (Chrome).

CVSS VectorVendor: Chrome

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 21:30 vuln.today
CVSS changed
Jun 24, 2026 - 20:22 NVD
9.6 (CRITICAL)
CVE Published
Jun 24, 2026 - 18:43 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 18:43 cve.org
CRITICAL 9.6

DescriptionCVE.org

Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

AnalysisAI

Sandbox escape in Google Chrome on Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics subsystem, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated Critical by Chromium with a CVSS 9.6 reflecting scope change and total compromise of confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to crafted HTML page
Delivery
Deliver malicious WebGL JavaScript
Exploit
Trigger use-after-free in GPU process
Execution
Corrupt and reclaim freed memory
Persist
Escape renderer sandbox
Impact
Gain elevated code execution context

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to use Google Chrome on Android at a version below 149.0.7827.197 and to load attacker-controlled HTML/JavaScript that exercises WebGL - i.e., WebGL must be reachable in the rendering path (the default for normal browsing). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward genuine priority for at-risk populations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts or compromises a web page containing malicious JavaScript that issues a crafted sequence of WebGL calls; when an Android user opens the page in a vulnerable Chrome build, the use-after-free is triggered in the GPU process to corrupt memory and attempt a sandbox escape. Given UI:R, the only social-engineering requirement is getting the victim to visit the link (e.g., via phishing, malvertising, or a watering-hole), with no further interaction needed. …
Remediation Update Google Chrome on Android to 149.0.7827.197 or later - Vendor-released patch: 149.0.7827.197, available via the Google Play Store and documented in the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Android devices running Chrome in your organization and assess which have access to corporate networks or sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-13032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy