How is CVE-2026-13028 exploited?

Network reachability (required): The attacker delivers the exploit over the network by serving a crafted HTML page to the victim's browser, so the service must be reachable remotely. Authentication (not-required): No account or credential is needed; any user who browses to the malicious page is a viable target. Victim interaction (required): The victim must visit the attacker-controlled HTML page, making this a social-engineering or malicious-ad delivery scenario. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

What is the impact of CVE-2026-13028?

A successful attacker reads arbitrary data from the browser process memory, including stored session tokens, cookies, and cached credentials. The attacker writes or modifies data within the browser process and, via sandbox escape, can alter files or state accessible to the browser on the host. The sandbox escape extends impact beyond the Chrome renderer, giving the attacker a foothold at the Android application or OS process level depending on device privilege boundaries. The attacker can crash the browser process or destabilize host services, causing denial of service for the affected user session.

Back to search

CRITICALCVE-2026-13028Published 2026-06-24Modified 2026-06-25CNA Chrome

CVE-2026-13028: Use after free in WebGL in Google Chrome on Android prior to 149

Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: 149.0.7827.197
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the WebGL component of Google Chrome for Android allows a remote attacker to exploit freed memory via a crafted HTML page. The attack is reachable over the network, requires no authentication, but does need the victim to visit a malicious page; the CVSS scope change (S:C) reflects that successful exploitation can break out of the browser sandbox. A successful attacker gains full confidentiality, integrity, and availability impact on the host and a patched-image rebuild at version 149.0.7827.197 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; CVE-2026-13028 is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Chrome for Android. Coverage extends to any image layer that carries an affected Chrome binary, not just base images.

Available

Triage

HarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox inside each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Chrome 149.0.7827.197 becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by serving a crafted HTML page to the victim's browser, so the service must be reachable remotely.
AuthenticationNot required
No account or credential is needed; any user who browses to the malicious page is a viable target.
Victim interactionRequired
The victim must visit the attacker-controlled HTML page, making this a social-engineering or malicious-ad delivery scenario.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

Blast Radius

A successful attacker reads arbitrary data from the browser process memory, including stored session tokens, cookies, and cached credentials.
The attacker writes or modifies data within the browser process and, via sandbox escape, can alter files or state accessible to the browser on the host.
The sandbox escape extends impact beyond the Chrome renderer, giving the attacker a foothold at the Android application or OS process level depending on device privilege boundaries.
The attacker can crash the browser process or destabilize host services, causing denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13028 activates the moment the advisory is ingested, flagging any image that bundles a Chrome for Android version below 149.0.7827.197 as Critical. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version, executes the configured regression tests, and opens a pull request against affected workloads; for high and critical severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured owner inbox with full CVSS context so teams can act manually. As a compensating control while a rebuild is in progress, teams can apply network-policy rules to restrict outbound navigation to untrusted origins or enforce a managed allowlist of browsable domains on affected Android workloads.

See how HarborGuard automates this

Fix available

149.0.7827.197

Affected packages

Google / Chrome
< 149.0.7827.197 (from 149.0.7827.197)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available