Google has shipped a Chrome security update that fixes 18 vulnerabilities, four of them rated critical, and users should install it now. Two of the most serious flaws sit in WebGL, the browser feature that renders interactive 2D and 3D graphics, and could let an attacker break out of Chrome's protective sandbox using nothing more than a booby-trapped web page. There is no sign these specific bugs are being exploited yet, but the risk is high enough that waiting is unwise.
What is affected
The fix lands in Chrome's stable channel as version 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux, with Android updated to 149.0.7827.197. Because Chrome's engine also powers Microsoft Edge, Brave, Opera, and other Chromium-based browsers, those will need their own updates as the fix flows downstream.
How the attack works
The two critical WebGL bugs, tracked as CVE-2026-13028 and CVE-2026-13032, are both "use-after-free" flaws. That is a memory-handling mistake where a program keeps using a chunk of memory it has already released, which an attacker can manipulate to make the browser run code it should not. On their own such bugs are serious, but chained with a second flaw they can become a full system takeover. The browser sandbox is meant to be a sealed box that keeps any malicious code stuck inside the browser, so a sandbox escape is what turns "something bad happened in a tab" into "something bad reached the rest of your computer".
Google credited an external researcher for one of the WebGL bugs and found the others internally. The company is holding back deeper technical detail until most users have updated, a routine precaution.
What you should do
Chrome usually updates itself, but it only finishes the job when you restart the browser, and people who leave Chrome open for days can lag behind. To force it, open the menu (the three dots), go to Settings then About Chrome, let it download any available update, and click Relaunch. Then repeat for any other Chromium-based browsers you use.
Browser flaws are a perennial target: Google has already patched several actively exploited Chrome zero-days this year, including a V8 engine bug used in real attacks and two zero-days in Skia and V8 exploited in the wild. Staying current is the single most effective defense.
The critical bugs
- CVE-2026-13028 (critical, WebGL use-after-free, sandbox escape)
- CVE-2026-13032 (critical, WebGL use-after-free, sandbox escape)
Google announced the fixes in its Chrome release channel, and the breakdown here draws on the write-up by researchers at Malwarebytes in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.