CVE-2026-13035 Overview
CVE-2026-13035 is a use-after-free vulnerability in the Bluetooth component of Google Chrome on macOS. The flaw affects Chrome versions prior to 149.0.7827.197 and allows a remote attacker to execute arbitrary code by presenting a malicious Bluetooth peripheral to a target browser. Google's Chromium project rated the security severity as High. The vulnerability is classified under CWE-416: Use After Free and requires user interaction to trigger the vulnerable code path.
Critical Impact
A malicious Bluetooth peripheral within range of a vulnerable Chrome installation on macOS can trigger memory corruption leading to arbitrary code execution within the browser process.
Affected Products
- Google Chrome on macOS prior to version 149.0.7827.197
- Apple macOS (host platform for the affected Chrome browser)
- Chromium-based browsers on macOS that share the affected Bluetooth implementation
Discovery Timeline
- 2026-06-24 - CVE-2026-13035 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-13035
Vulnerability Analysis
The vulnerability resides in Chrome's Web Bluetooth implementation on macOS. Web Bluetooth enables web pages to communicate with nearby Bluetooth Low Energy (BLE) peripherals through JavaScript APIs. A use-after-free condition occurs when the browser continues to reference a Bluetooth-related object in memory after it has been freed.
An attacker who controls a Bluetooth peripheral can manipulate the lifecycle of the affected object. When Chrome accesses the freed memory region, the attacker-controlled contents can redirect execution flow. This results in arbitrary code execution within the renderer or browser process context.
The attack requires user interaction. A victim must visit an attacker-controlled web page and grant Bluetooth device access, or interact with a page already authorized to use Web Bluetooth. The scope remains unchanged, but successful exploitation compromises confidentiality, integrity, and availability of the browser session.
Root Cause
The root cause is improper object lifetime management in the Bluetooth subsystem [CWE-416]. The code path frees a Bluetooth-related object while retaining a dangling reference. Subsequent operations dereference the stale pointer, allowing an attacker who can influence heap layout to substitute attacker-controlled data at the freed location.
Attack Vector
Exploitation requires network reachability to deliver the malicious web page and proximity for the Bluetooth peripheral interaction. The attacker hosts a page that initiates a Web Bluetooth session and pairs with a peripheral they control. The peripheral returns crafted GATT (Generic Attribute Profile) responses or triggers state transitions that cause the use-after-free.
No authentication is required. The user must accept the Bluetooth device prompt or have previously authorized the origin. See the Chromium Issue Tracker Entry and the Google Chrome Update Announcement for vendor-confirmed details. No public proof-of-concept is currently available.
Detection Methods for CVE-2026-13035
Indicators of Compromise
- Chrome processes on macOS exhibiting unexpected crashes referencing Bluetooth modules in crash reports under ~/Library/Application Support/Google/Chrome/Crashpad
- Outbound connections from Chrome renderer processes to unknown command-and-control endpoints following Bluetooth pairing events
- Unexpected child processes spawned by Google Chrome Helper on macOS endpoints
Detection Strategies
- Inventory Chrome versions across macOS fleets and flag any installation prior to 149.0.7827.197
- Monitor endpoint telemetry for anomalous Chrome process behavior, including memory region modifications and code execution outside expected browser sandbox boundaries
- Correlate Web Bluetooth API usage with browsing telemetry to identify high-risk sessions involving untrusted origins
Monitoring Recommendations
- Enable macOS Unified Logging for Bluetooth subsystem events and forward to a centralized log platform
- Track Chrome auto-update status via MDM to confirm patched versions are deployed across managed endpoints
- Alert on Chrome crash dumps that reference Bluetooth GATT or device manager symbols
How to Mitigate CVE-2026-13035
Immediate Actions Required
- Update Google Chrome on all macOS endpoints to version 149.0.7827.197 or later
- Verify that Chrome auto-update is functioning and not blocked by network or policy controls
- Restart Chrome after the update to ensure the patched binary is loaded into memory
Patch Information
Google released the fix in the Stable channel update referenced in the Google Chrome Update Announcement. Administrators can deploy the patch through standard Chrome update mechanisms or via enterprise management tools such as Chrome Browser Cloud Management. Chromium-based browsers that incorporate the upstream fix should be updated to their corresponding patched releases.
Workarounds
- Disable Web Bluetooth via the enterprise policy DefaultWebBluetoothGuardSetting set to 2 (block) until patching is complete
- Restrict Bluetooth permissions through macOS Privacy controls for users who do not require Web Bluetooth functionality
- Apply site-permission policies to allow Web Bluetooth only on trusted internal origins
# Configuration example: Block Web Bluetooth via Chrome enterprise policy on macOS
defaults write com.google.Chrome DefaultWebBluetoothGuardSetting -int 2
# Verify the policy is applied
defaults read com.google.Chrome DefaultWebBluetoothGuardSetting
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

