CVE: CVE-2026-13021 through CVE-2026-13030 (10 CVEs) | Highest CVSS 3.1: 9.6 (CRITICAL) — CVE-2026-13028 | Vendor: Google | Product: Chrome 149.0.7827.197 | Platforms: Windows, Mac, Linux, Android

---

What Is the Vulnerability

Google released Chrome 149.0.7827.197 on June 24, 2026, patching 10 security vulnerabilities. The most severe is CVE-2026-13028, a critical WebGL use-after-free vulnerability rated CVSS 9.6 that enables remote code execution on Android devices. An attacker who convinces a user to visit a malicious webpage can trigger memory corruption in the WebGL subsystem, leading to arbitrary code execution within the browser’s sandbox — or beyond it if chained with a sandbox escape.

The update addresses a cluster of use-after-free vulnerabilities, which remain the dominant memory safety bug class in Chromium. Use-after-free flaws occur when the browser continues to reference memory after it has been freed, creating a window for attackers to place controlled data at that memory location and hijack execution flow. The remaining vulnerabilities span race conditions, uninitialized memory use, and input validation weaknesses across components including Digital Credentials, FileSystem, DevTools, GPU, Navigation, and Web Authentication.

Full CVE breakdown:

• CVE-2026-13028 (CVSS 9.6, CRITICAL): WebGL use-after-free on Android — remote code execution
• CVE-2026-13026 (CVSS 8.8, HIGH): Digital Credentials use-after-free on Mac
• CVE-2026-13027 (CVSS 8.8, HIGH): FileSystem use-after-free — all platforms
• CVE-2026-13025 (CVSS 8.3, HIGH): DevTools race condition
• CVE-2026-13029 (CVSS 7.5, HIGH): Web Authentication use-after-free
• CVE-2026-13023 (CVSS 5.3, MEDIUM): GPU uninitialized use
• CVE-2026-13030 (CVSS 5.3, MEDIUM): GPU uninitialized use on Android
• CVE-2026-13021 (CVSS 4.3, MEDIUM): DeviceBoundSessionCredentials implementation
• CVE-2026-13024 (CVSS 4.2, MEDIUM): Navigation input validation
• CVE-2026-13022 (UNRATED): Autofill implementation issue

---

Versions Affected

All Chrome versions prior to 149.0.7827.197 across Windows, Mac, Linux, and Android are affected by one or more of these CVEs. Chrome typically auto-updates, so most consumer and enterprise endpoints should receive the update within hours of release. Organisations that disable or defer Chrome auto-updates should verify deployment manually.

All Chromium-based browsers are downstream consumers of the Chromium source — Microsoft Edge, Opera, Brave, Vivaldi, and others will follow with their own updates incorporating these fixes within days.

---

Exploited?

Not yet known to be exploited in the wild. Google’s Chrome release notes state that none of the 10 CVEs in this update have been reported as actively exploited at the time of release. However, Chrome use-after-free vulnerabilities — particularly those in WebGL and FileSystem — are routinely weaponised within days of disclosure. Historical patterns show that Chrome CVEs rated HIGH or CRITICAL typically see active exploitation within 1–2 weeks of patch release.

Broader context: CVE-2026-11645, the Chrome V8 type confusion vulnerability in CISA’s KEV catalog with a June 23 remediation deadline, is now 2 days past its BOD 26-04 deadline. Organisations that have not yet deployed Chrome patches for the prior cycle should treat browser update compliance as an urgent priority.

---

Fix

Google Chrome auto-updates on most platforms. To verify or force the update:

• Desktop (Windows/Mac/Linux): Navigate to chrome://settings/help — Chrome will check for updates and install version 149.0.7827.197. Restart the browser to complete the update.
• Android: Update Chrome via the Google Play Store (version 149.0.7827.197).
• Enterprise deployment: Deploy the latest MSI/DMG/RPM packages via your endpoint management platform. Verify fleet-wide compliance that all endpoints are running 149.0.7827.197 or later.
• Chromium-based browsers: Monitor Microsoft Edge, Opera, Brave, and Vivaldi release channels — they will ship equivalent fixes shortly. Apply those updates as they become available.

---

Recommendations

• Verify Chrome auto-update status. Check a representative sample of endpoints to confirm Chrome 149.0.7827.197 is deployed.
• Prioritise Android devices. CVE-2026-13028 (CVSS 9.6, CRITICAL) specifically targets Android. Enterprise-managed Android devices should be pushed the update urgently.
• Audit browser update compliance. With CVE-2026-11645 now past its CISA KEV deadline, run a fleet-wide audit of Chrome versions. All endpoints should be at 149.0.7827.197.
• Apply Chromium-derived browser updates. As Edge, Opera, Brave, and Vivaldi release their updates incorporating these fixes, deploy them through your standard patch management process.
• Monitor for exploitation activity. Chrome use-after-free vulnerabilities are frequently exploited within days of disclosure. Monitor threat intelligence feeds for in-the-wild exploitation reports against any of these 10 CVEs.
• Enforce browser update policies. Configure group policies or MDM profiles to enforce automatic browser updates across the fleet to reduce the window of exposure to future Chrome vulnerabilities.

---

References

• Google Chrome Releases: Stable Channel Update for Desktop (June 24, 2026)
• NVD Entry for CVE-2026-13028 (WebGL use-after-free, CVSS 9.6)
• NVD Entry for CVE-2026-13026 (Digital Credentials use-after-free)
• NVD Entry for CVE-2026-13027 (FileSystem use-after-free)
• CISA KEV Catalog (CVE-2026-11645 V8 type confusion — past June 23 deadline)

Part of the Vulnerability Intelligence series on threat-modeling.com. Chrome updates routinely and silently — ensure your fleet is current. See the June 25, 2026 Vulnerability Intelligence Report for broader context.