CVE-2026-13032: Use after free in WebGL in Google Chrome on Android prior to 149

Synopsis

Use-after-free in WebGL affects Google Chrome on Android versions prior to 149.0.7827.197. The vulnerability is reachable over the network with no authentication required, but a victim must visit a crafted HTML page. Successful exploitation allows a remote attacker to escape the Chrome sandbox, gaining the ability to read data, tamper with data, and crash or disrupt the affected process with high impact across all three areas. A patched-image rebuild at version 149.0.7827.197 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker delivers the exploit over the network; the target Chrome instance must be reachable and the victim must browse to an attacker-controlled or compromised page.

• AuthenticationNot required

  No account or credential is needed; any unauthenticated remote attacker can serve the malicious HTML page.

• Victim interactionRequired

  The victim must navigate to a crafted HTML page, making this a social-engineering or drive-by scenario requiring at least one user action.

• Attack complexityDetail

  Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

• A successful attacker escapes the Chrome sandbox, breaking the primary isolation boundary between web content and the underlying Android system.
• Confidentiality impact is High: the attacker can read sensitive data accessible to the Chrome process, including stored credentials, session tokens, and browsing history.
• Integrity impact is High: the attacker can write or modify data on the device, including files and application state reachable from the escaped sandbox context.
• Availability impact is High: the attacker can crash or terminate the Chrome process and potentially destabilize dependent system services.