Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13035

CVE-2026-13035: Google Chrome Use-After-Free Vulnerability

CVE-2026-13035 is a use-after-free vulnerability in Google Chrome's Bluetooth component on Mac that allows remote code execution via malicious peripherals. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-13035 Overview

CVE-2026-13035 is a use-after-free vulnerability in the Bluetooth component of Google Chrome on macOS. The flaw affects Chrome versions prior to 149.0.7827.197 and allows a remote attacker to execute arbitrary code by presenting a malicious Bluetooth peripheral to a target browser. Google's Chromium project rated the security severity as High. The vulnerability is classified under CWE-416: Use After Free and requires user interaction to trigger the vulnerable code path.

Critical Impact

A malicious Bluetooth peripheral within range of a vulnerable Chrome installation on macOS can trigger memory corruption leading to arbitrary code execution within the browser process.

Affected Products

  • Google Chrome on macOS prior to version 149.0.7827.197
  • Apple macOS (host platform for the affected Chrome browser)
  • Chromium-based browsers on macOS that share the affected Bluetooth implementation

Discovery Timeline

  • 2026-06-24 - CVE-2026-13035 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-13035

Vulnerability Analysis

The vulnerability resides in Chrome's Web Bluetooth implementation on macOS. Web Bluetooth enables web pages to communicate with nearby Bluetooth Low Energy (BLE) peripherals through JavaScript APIs. A use-after-free condition occurs when the browser continues to reference a Bluetooth-related object in memory after it has been freed.

An attacker who controls a Bluetooth peripheral can manipulate the lifecycle of the affected object. When Chrome accesses the freed memory region, the attacker-controlled contents can redirect execution flow. This results in arbitrary code execution within the renderer or browser process context.

The attack requires user interaction. A victim must visit an attacker-controlled web page and grant Bluetooth device access, or interact with a page already authorized to use Web Bluetooth. The scope remains unchanged, but successful exploitation compromises confidentiality, integrity, and availability of the browser session.

Root Cause

The root cause is improper object lifetime management in the Bluetooth subsystem [CWE-416]. The code path frees a Bluetooth-related object while retaining a dangling reference. Subsequent operations dereference the stale pointer, allowing an attacker who can influence heap layout to substitute attacker-controlled data at the freed location.

Attack Vector

Exploitation requires network reachability to deliver the malicious web page and proximity for the Bluetooth peripheral interaction. The attacker hosts a page that initiates a Web Bluetooth session and pairs with a peripheral they control. The peripheral returns crafted GATT (Generic Attribute Profile) responses or triggers state transitions that cause the use-after-free.

No authentication is required. The user must accept the Bluetooth device prompt or have previously authorized the origin. See the Chromium Issue Tracker Entry and the Google Chrome Update Announcement for vendor-confirmed details. No public proof-of-concept is currently available.

Detection Methods for CVE-2026-13035

Indicators of Compromise

  • Chrome processes on macOS exhibiting unexpected crashes referencing Bluetooth modules in crash reports under ~/Library/Application Support/Google/Chrome/Crashpad
  • Outbound connections from Chrome renderer processes to unknown command-and-control endpoints following Bluetooth pairing events
  • Unexpected child processes spawned by Google Chrome Helper on macOS endpoints

Detection Strategies

  • Inventory Chrome versions across macOS fleets and flag any installation prior to 149.0.7827.197
  • Monitor endpoint telemetry for anomalous Chrome process behavior, including memory region modifications and code execution outside expected browser sandbox boundaries
  • Correlate Web Bluetooth API usage with browsing telemetry to identify high-risk sessions involving untrusted origins

Monitoring Recommendations

  • Enable macOS Unified Logging for Bluetooth subsystem events and forward to a centralized log platform
  • Track Chrome auto-update status via MDM to confirm patched versions are deployed across managed endpoints
  • Alert on Chrome crash dumps that reference Bluetooth GATT or device manager symbols

How to Mitigate CVE-2026-13035

Immediate Actions Required

  • Update Google Chrome on all macOS endpoints to version 149.0.7827.197 or later
  • Verify that Chrome auto-update is functioning and not blocked by network or policy controls
  • Restart Chrome after the update to ensure the patched binary is loaded into memory

Patch Information

Google released the fix in the Stable channel update referenced in the Google Chrome Update Announcement. Administrators can deploy the patch through standard Chrome update mechanisms or via enterprise management tools such as Chrome Browser Cloud Management. Chromium-based browsers that incorporate the upstream fix should be updated to their corresponding patched releases.

Workarounds

  • Disable Web Bluetooth via the enterprise policy DefaultWebBluetoothGuardSetting set to 2 (block) until patching is complete
  • Restrict Bluetooth permissions through macOS Privacy controls for users who do not require Web Bluetooth functionality
  • Apply site-permission policies to allow Web Bluetooth only on trusted internal origins
bash
# Configuration example: Block Web Bluetooth via Chrome enterprise policy on macOS
defaults write com.google.Chrome DefaultWebBluetoothGuardSetting -int 2

# Verify the policy is applied
defaults read com.google.Chrome DefaultWebBluetoothGuardSetting

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.