T
Threats
Google Chrome WebGL Critical Vulnerabilities
Overview
CVE: CVE-2026-13028, CVE-2026-13032
Severity: Critical
Date: 25 June 2026
Google has disclosed two critical vulnerabilities affecting Google Chrome on Android prior to version 149.0.7827.197. Both issues are use-after-free flaws in WebGL, the component responsible for rendering hardware-accelerated graphics inside the browser.
In each case, a remote attacker could craft a malicious HTML page that, when visited by a vulnerable Chrome on Android user, may allow the attacker to potentially perform a sandbox escape. A sandbox escape can let attacker-controlled code break out of the browser's protective boundary and interact with the underlying device.
Affected Versions
Google Chrome on Android prior to 149.0.7827.197 is affected.
Both issues are fixed in Chrome 149.0.7827.197 for Android.
Users should update to the latest available Chrome release via the Google Play Store as soon as possible.
Vulnerability Breakdown
CVE-2026-13028 - Use-after-free in WebGL
Severity: Critical
CVSS: 9.6
Description: Use-after-free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Impact: A remote attacker may lure a user to a malicious or compromised web page that triggers the use-after-free condition, potentially leading to a browser sandbox escape and code execution outside Chrome's protected environment.
Conditions: Network access and user interaction are required. The victim must visit or be redirected to a crafted HTML page using a vulnerable version of Chrome on Android.
Notes: This issue is tracked as CWE-416, Use After Free.
CVE-2026-13032 - Use-after-free in WebGL
Severity: Critical
CVSS: 9.6
Description: Use-after-free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Impact: As with CVE-2026-13028, a remote attacker may use a crafted web page to trigger the use-after-free condition in WebGL, potentially achieving a sandbox escape and execution of attacker-controlled code on the device.
Conditions: Network access and user interaction are required. The victim must visit or be redirected to a crafted HTML page using a vulnerable version of Chrome on Android.
Notes: This issue is tracked as CWE-416, Use After Free.
Mitigation
Update Google Chrome on Android to version 149.0.7827.197 or later through the Google Play Store.
Confirm that automatic app updates are enabled on managed and personal Android devices so security fixes are applied promptly.
Prioritise devices that handle sensitive corporate data or connect to corporate resources.
Where mobile device management (MDM) is in place, push or enforce the updated Chrome version across the fleet.
Remind users to avoid clicking untrusted links and to keep their browser up to date.
Summary for IT Teams
Products: Google Chrome on Android
Threat Level: Critical, CVSS 9.6
Action Required: Ensure all Android devices are running Google Chrome 149.0.7827.197 or later. Prioritise corporate-managed devices and any device used to access sensitive systems or data. Enforce the update via MDM where available and verify that automatic updates are enabled.
Reference
Need Help?
If your organisation needs assistance assessing exposure, validating affected devices, or rolling out the Chrome update across your fleet, Secure ISS can help.
Contact the Secure ISS SOC team on 1300 769 460 or email us for support.
