Use After Free Vulnerability in Google Chrome for Android
CVE-2026-13028

9.6CRITICAL

Key Information:

Vendor

Google

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-13028?

CVE-2026-13028 is a critical vulnerability identified in Google Chrome for Android, specifically related to a use-after-free error within the WebGL graphics library. The function of WebGL is to enable web applications to render interactive 2D and 3D graphics, which is essential for many modern web applications and games. This vulnerability arises when the memory handling in WebGL does not properly manage the lifecycle of certain resources, potentially allowing attackers to manipulate memory after it has been freed. This can lead to severe consequences, including unauthorized access to sensitive data or the ability to escape the sandbox environment in which web pages operate, thereby affecting the overall integrity and security of the device and any data processed through it.

Potential impact of CVE-2026-13028

  1. Sandbox Escape: The most critical impact of this vulnerability is the ability for an attacker to execute a sandbox escape via a specially crafted HTML page. This breaks the isolation that a web browser typically provides, allowing malicious code to interact with the underlying system resources.

  2. Data Exposure: An exploitation of this vulnerability could lead to unauthorized access to sensitive user information. This could include credentials, personal details, or any other data stored within the browser, increasing the risk of identity theft and data breaches.

  3. Potential for Remote Code Execution: If successfully exploited, this vulnerability could enable attackers to perform arbitrary code execution on the device, possibly leading to the installation of malware, data corruption, or other malicious activities that compromise the security of the user's Android device.

Affected Version(s)

Chrome 149.0.7827.197

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.