Description
Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-24
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use-after-free flaw in the WebGL implementation of Google Chrome on Android allows an attacker to exploit a crafted HTML page. The memory corruption leads to a sandbox escape, potentially giving the attacker the ability to execute arbitrary code with higher privileges than the browser sandbox normally permits. This results in loss of confidentiality, integrity, and availability for the affected device if the vulnerability is successfully leveraged by an attacker.

Affected Systems

Affected systems are devices running Google Chrome on Android with versions prior to 149.0.7827.197. The issue is specific to the stable channel and does not apply to newer releases beyond that point.

Risk and Exploitability

The vulnerability has a CVSS score of 9.6, signifying critical severity. EPSS information is not available, and the vulnerability is not listed in CISA's KEV catalog. Because the flaw is triggered by an externally supplied HTML page, a remote attacker who can serve malicious content to a user’s browser could potentially exploit the vulnerability. The absence of intervening mitigations in the affected Chrome versions increases the likelihood that exploitation could succeed once the exploit code is delivered.

Generated by OpenCVE AI on June 24, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.197 or later on all Android devices immediately.
  • Deploy the update through your device management or enterprise policy to ensure all users receive the patch without manual intervention.
  • If an update cannot be applied at once, disable WebGL via Chrome flags (chrome://flags) or through policy settings to reduce the attack surface until the vulnerability is patched.

Generated by OpenCVE AI on June 24, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in WebGL on Android Chrome Enables Sandbox Escape

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:24:31.950Z

Reserved: 2026-06-23T17:14:11.455Z

Link: CVE-2026-13032

cve-icon Vulnrichment

Updated: 2026-06-24T19:24:27.885Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses