Google Chrome: Three High-Severity Flaws Including Use-After-Free Patched Together
Google Chrome patched three high-severity use-after-free and integer overflow vulnerabilities on June 28, 2026, affecting Android and core components.
Key findings
- Three high-severity vulnerabilities in Google Chrome patched on June 28, 2026.
- Vulnerabilities include two use-after-free flaws and one integer overflow.
- Exploitation vectors range from physical access to crafted HTML and file manipulation.
- All issues fixed in Chrome version 149.0.7827.201.
On June 28, 2026, Google released security updates for Chrome addressing three high-severity vulnerabilities, all fixed in version 149.0.7827.201. The disclosures cluster around use-after-free and integer overflow flaws, impacting Google Chrome on Android and its core Mojo component. These vulnerabilities could allow local attackers with physical access or remote attackers who can trick users into specific UI interactions or compromise the renderer process to execute arbitrary code or escape the sandbox.
Two of the vulnerabilities, CVE-2026-13282 and CVE-2026-13283, are use-after-free flaws. CVE-2026-13282, affecting the Payments component on Android, requires physical access to the device for exploitation and could lead to heap corruption. CVE-2026-13283, impacting the AdFilter component on Android, allows for arbitrary code execution via a crafted HTML page after a user engages in specific UI gestures.
The third vulnerability, CVE-2026-13281, is an integer overflow in the Mojo component. This flaw could enable a sandbox escape if an attacker has already compromised the renderer process, potentially leading to the execution of malicious code through a specially crafted file.
All three vulnerabilities were patched in Chrome version 149.0.7827.201. Users are strongly advised to update to this version or later to protect themselves from these security risks. The swift patching by Google indicates a proactive approach to mitigating potential exploitation of these high-severity issues.