CVE-2026-13028
Description
Use after free in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
In plain language
AI Worth attentionThis is a Chrome-on-Android bug where a specially made website can trick your phone into escaping Chrome’s built-in protections; most small businesses should update their Chrome right away if employees use Android browsers.
CVE-2026-13028 is a use-after-free in the WebGL component of Google Chrome on Android (versions prior to 149.0.7827.197) that can be triggered by a user visiting a crafted HTML page, potentially enabling sandbox escape to run code outside the browser’s sandbox.
What to do now
- Check which Android devices and user profiles use Google Chrome, and confirm the installed Chrome version.
- If your Chrome version is older than 149.0.7827.197, update Google Chrome to at least 149.0.7827.197.
- If you cannot update immediately, avoid opening links from unknown senders and disable risky browsing behaviors (especially clicking unsolicited links) until devices are updated.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-13028 and every CVE in our database. Create a free account — no credit card required.
Create Free Account