Chrome WebGL Flaw Enables Sandbox Escape on Android
CVE-2026-13028, a critical use-after-free in Chrome's WebGL component, scores CVSS 9.6 and allows remote code execution with sandbox escape on Android. Update immediately.
Google patched 18 security flaws in Chrome 149, but one stands out: a critical use-after-free in WebGL that could let attackers escape the browser sandbox entirely on Android devices.
CVE-2026-13028 carries a CVSS 9.6 score and affects Chrome on Windows, macOS, Linux, and Android. The vulnerability exists in WebGL's memory object lifecycle management—when a user visits a malicious webpage, an attacker can trigger memory corruption that leads to arbitrary code execution.
What Makes This One Different
Most Chrome vulnerabilities are contained by the browser's sandbox. CVE-2026-13028 breaks that assumption on Android, where the flaw chains into a full sandbox escape. An attacker who convinces a user to visit a crafted HTML page can execute code outside the browser's security boundary.
Google's advisory notes the attack complexity is low and requires no special privileges—just user interaction in the form of visiting a page. No public exploitation has been confirmed yet, but the combination of low complexity and sandbox escape makes this a high-priority patch.
Affected Versions and Patches
Chrome versions prior to 149.0.7827.197 on Windows, macOS, and Android are vulnerable. Linux users need 149.0.7827.196 or higher. Google released the patches on June 26, giving organizations a narrow window to update before potential weaponization.
The 18 vulnerabilities in Chrome 149 span multiple components, but the WebGL flaw drew the highest severity rating. Other notable fixes address out-of-bounds access in Autofill and type confusion in V8, though none approach the sandbox-escape capability of CVE-2026-13028.
The WebGL Attack Surface
WebGL exposes GPU functionality to web pages, creating a notoriously difficult attack surface to secure. The specification requires complex memory management between JavaScript and native graphics drivers, and use-after-free bugs in this boundary have fueled browser exploits for years.
This isn't Chrome's first critical WebGL vulnerability in 2026. In March, researchers at Pwn2Own demonstrated a separate WebGL exploit chain against Chrome on Windows, earning $100,000 for the disclosure. The repeated targeting suggests attackers view WebGL as one of the more productive research areas for browser exploitation.
Why Sandbox Escape Matters
Chrome's sandbox isolates renderer processes from the underlying operating system. Even if an attacker achieves code execution within the renderer, they're typically constrained to limited capabilities—no filesystem access, no network sockets, no privilege escalation.
Sandbox escapes change that calculation entirely. Once outside the sandbox, attackers can access files, install persistence mechanisms, and pivot to other applications. On Android, where users often keep sensitive data in apps beyond the browser, the impact extends to credentials, photos, messages, and financial applications.
Organizations running Chrome on Android—particularly those with unmanaged BYOD devices—face the highest exposure. The browser auto-updates on Android, but update timing depends on Play Store refresh cycles and device manufacturer configurations.
What To Do Now
Verify Chrome has updated to version 149.0.7827.197 or later on all platforms. On desktop, navigate to chrome://settings/help to check the version and force an update if needed. On Android, confirm through Settings > Apps > Chrome or wait for the Play Store to push the update.
Enterprise administrators using Chrome Browser Cloud Management can enforce minimum version policies and monitor fleet compliance. Given the severity, blocking access from unpatched Chrome instances—while aggressive—may be warranted for high-security environments.
If you can't update immediately, consider disabling WebGL temporarily via chrome://flags/#disable-webgl. This breaks 3D rendering on many websites but eliminates the attack surface until patching is complete.
For detection, monitor for unusual Chrome renderer crashes or unexpected child process spawning from the browser. Sandbox escapes often leave traces in process genealogy that endpoint detection tools can flag.
Google credited an anonymous researcher with discovering CVE-2026-13028 on June 7, 2026. The three-week turnaround from report to patch is typical for critical Chrome vulnerabilities, reflecting Google's established rapid-response process for browser security issues.
The broader lesson: WebGL remains a productive target for vulnerability researchers and attackers alike. Organizations should treat browser updates with the same urgency as operating system patches—especially when sandbox-defeating capabilities are on the table.
Related Articles
Chrome 148 Patches 79 Vulnerabilities Including 14 Critical Flaws
Google's May 2026 Chrome update addresses 79 security issues with 14 rated critical. Memory corruption bugs dominate—update immediately to version 148.0.7778.167.
May 15, 2026Google Patches Fourth Chrome Zero-Day of 2026
CVE-2026-5281 exploited in the wild targets Dawn WebGPU implementation. Google rushes emergency patch as Chrome zero-days accelerate in 2026.
Apr 1, 2026Google Patches Chrome Zero-Day Under Active Exploitation
CVE-2026-2441 is a high-severity CSS use-after-free in Chrome being exploited in the wild. Update to version 145.0.7632.75 immediately.
Feb 17, 2026Chrome Patches High-Severity WebView Policy Bypass
CVE-2026-0628 allowed malicious extensions to inject scripts into privileged pages through insufficient policy enforcement. Update to Chrome 143.0.7499.192.
Jan 7, 2026