VYPR
Vypr IntelligenceAI-generatedJun 24, 2026· 18 CVEs

Chrome 149: 18 CVEs Patched, Including Four Critical Sandbox-Escape Flaws

Google's June 24 Chrome update patches 18 vulnerabilities — four Critical and 14 High — including WebGL and Autofill bugs that can escape the browser sandbox.

Key findings

  • 18 CVEs fixed in Chrome 149.0.7827.196/197, including 4 Critical and 14 High
  • Two Critical WebGL UAF bugs (CVE-2026-13028, CVE-2026-13032) can escape the sandbox on Android
  • CVE-2026-13033 is a Critical out-of-bounds read/write in Blink's InterestGroups
  • CVE-2026-13038 is a Critical UAF in Autofill on Windows enabling arbitrary code execution
  • Multiple High-severity bugs allow site-isolation bypass from a compromised renderer
  • No active exploitation reported; users urged to update immediately

Google shipped a security update for Chrome on June 24, 2026, patching 18 vulnerabilities — four rated Critical and 14 rated High — across the browser's rendering, GPU, WebGL, and credential-handling components. The update pushes the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux; Android users receive version 149.0.7827.197. While none of the bugs are known to be actively exploited in the wild, the sheer density of Use-after-Free (UAF) and sandbox-escape flaws makes this a significant patch event for Chrome's massive user base Malwarebytes Labs.

Critical-Rated Flaws

Four CVEs received the Chromium project's Critical severity label. Two of them — CVE-2026-13028 and CVE-2026-13032 — are Use-after-Free bugs in Chrome's WebGL rendering engine on Android. Both allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. CVE-2026-13028 was reported by an anonymous researcher on June 7, while CVE-2026-13032 was identified internally by Google on June 13 Cyber Security News. CVE-2026-13033 is an out-of-bounds read and write in the Blink engine's InterestGroups component, enabling arbitrary code execution. CVE-2026-13038 is a Use-after-Free in Autofill on Windows, also leading to arbitrary code execution.

High-Severity Use-after-Free Cluster

Eight High-severity UAF bugs were fixed across a wide range of subsystems. CVE-2026-13037 (WebView on Android) and CVE-2026-13036 / CVE-2026-13031 (Blink) allow arbitrary code execution inside the sandbox via crafted HTML pages. CVE-2026-13035 affects Bluetooth on Mac via a malicious peripheral. CVE-2026-13029 (Web Authentication) requires the attacker to convince a user to install a malicious extension to exploit heap corruption. CVE-2026-13027 (FileSystem), CVE-2026-13026 (Digital Credentials on Mac), and CVE-2026-13038 (Autofill on Windows) round out the UAF set.

Site Isolation and Sandbox-Escape Bugs

Several High-severity flaws target Chrome's site-isolation and sandbox defenses. CVE-2026-13034 (Passwords) and CVE-2026-13024 (Navigation) allow a remote attacker who has already compromised the renderer process to bypass site isolation. CVE-2026-13025 is a race condition in DevTools that could enable a sandbox escape from a compromised renderer. CVE-2026-13021 (DeviceBoundSessionCredentials) allows bypassing same-origin policy.

Information Disclosure and Data Leakage

CVE-2026-13030 and CVE-2026-13023 are uninitialized-use bugs in the GPU subsystem — on Android and cross-platform respectively — that could leak sensitive information from process memory. CVE-2026-13022 (Autofill) allows a compromised renderer to leak cross-origin data.

Response and Patching

All 18 CVEs are fixed in Chrome 149.0.7827.196/197. Google's automatic update mechanism will roll out the fix over the coming days and weeks; users can manually trigger an update via the browser's About menu. No workarounds or mitigations beyond updating have been published. The Android version was updated to 149.0.7827.197 in a separate but concurrent release Malwarebytes Labs.

Bottom Line

This batch is notable for its volume — 18 CVEs in a single stable-channel release — and for the concentration of Critical-rated WebGL and Autofill bugs that could break out of Chrome's sandbox. While no in-the-wild exploitation has been reported, the attack surface exposed by these flaws (crafted HTML pages, malicious peripherals, compromised renderers) makes prompt updating the only practical defense. Chrome users on all platforms should verify they are running 149.0.7827.196 or later.

AI-written article. Grounded in 18 CVE records listed below.