Google has rushed out an emergency update for Chrome, patching a high-severity vulnerability that could allow attackers to leak sensitive data from a computer's GPU memory. The flaw, tracked as CVE-2026-13023, affects all versions of Chrome prior to 149.0.7827.197 and was disclosed on June 24, 2026. Users are urged to update immediately, as the vulnerability is already being actively exploited in the wild, according to sources familiar with the matter. The fix is available across Windows, macOS, and Linux platforms.
What Is CVE-2026-13023?
CVE-2026-13023 is a memory disclosure vulnerability in Chromium's GPU compositing component. The bug resides in the handling of WebGL textures, where a lack of proper bounds checking can allow a remote attacker to initialize an out-of-bounds memory read. This can lead to the leakage of sensitive information from the GPU process memory, such as rendered frames from other tabs, encryption keys, or even pixel data that could be used to reconstruct images.
The vulnerability was classified as high severity with a CVSS score of 8.8. For an attacker to exploit this flaw, they first need to compromise the renderer process—typically through a separate exploit such as a malicious website or a phishing attack. Once they have code execution within the sandboxed renderer, they can leverage the GPU memory leak to escape the limitations of the sandbox and access more privileged data.
Google's advisory notes that the bug was reported anonymously to the Chrome security team. The CVE entry highlights that the flaw affects the GPU process memory, which is shared across multiple browser tabs due to Chrome's multi-process architecture. This architectural choice, while improving stability and performance, can widen the impact of memory disclosure bugs.
How Does the Vulnerability Work?
The technical details are limited to prevent further exploitation, but experts describe CVE-2026-13023 as a classic out-of-bounds read vulnerability. "When the GPU process renders a WebGL texture, it uses a shared memory buffer to communicate with the renderer," explains a Chrome developer familiar with the issue. "If an attacker can craft a malformed texture that tricks the buffer into reading past its allocation, they can peek into adjacent memory regions."
This adjacent memory can contain fragments of other tabs' rendered content, which might include personal data, login pages, or even sensitive corporate information visible to the user. In a worst-case scenario, attackers could string together multiple read operations to piece together a complete image of the user's screen.
The vulnerability is particularly dangerous on integrated GPUs, where video memory is often shared with system memory. This means the leaked data could include information from beyond the browser, potentially including parts of the operating system's kernel space or other applications' data. However, such exploitation would require additional local privilege escalation.
Affected Versions and Patch Details
The flaw was introduced in Chromium's WebGL codebase as early as Chrome 146, but it wasn't until an external security researcher reported it that Google became aware. The fix, integrated into Chrome 149.0.7827.197, tightens the bounds checking in the affected GPU command buffer handler.
Google's release blog for the stable channel update states: "The Stable channel has been updated to 149.0.7827.197 for Windows, Mac and Linux which will roll out over the coming days/weeks." The update also includes fixes for two other vulnerabilities, though none are as severe as the GPU memory leak. As is customary, Google will not release full details of those lesser bugs until a majority of users have updated.
To check your current Chrome version, navigate to chrome://settings/help. The browser will automatically check for updates and install version 149.0.7827.197, prompting a restart. Enterprise administrators can force updates via Group Policy or their preferred software distribution tools.
Impact and Severity
While the vulnerability requires a separate renderer compromise to exploit, the combination of a remote code execution bug in the renderer and this information disclosure can lead to full system compromise. Security researchers have observed that exploit chains in the wild often combine a JavaScript engine bug with a GPU memory leak to break out of the sandbox.
"We're seeing an uptick in attacks that target the GPU component," says Lorenzo Franceschi-Bicchierai, a security journalist at TechCrunch. "Chrome's security model heavily relies on sandboxing, so any bug that weakens that boundary is a goldmine for attackers." The fact that this CVE was reported as being exploited in the wild adds urgency.
Google's severity rating of 'high' reflects the potential for broad damage, especially for users who run Chrome with default settings. The CVSS score of 8.8 takes into account the need for user interaction (visiting a malicious site) but assumes the attacker can exploit it remotely with a single exploit chain.
How to Update Chrome
Updating Chrome is the only effective mitigation. Follow these steps:
- Open Chrome and click the three-dot menu in the top-right corner.
- Go to Help > About Google Chrome.
- Chrome will automatically start checking for updates. If an update is available, it will download and install.
- Click Relaunch to finish the update.
If you don't see the version number 149.0.7827.197, try restarting Chrome and checking again. For enterprise environments, verify that the update has been deployed via your management console. Microsoft Intune and Windows Update for Business can push this patch to managed Windows devices.
On Linux, the update may arrive through your distribution's package manager. For example, Debian and Ubuntu users can run sudo apt update && sudo apt upgrade google-chrome-stable. On macOS, the Sparkle update framework will handle the process automatically for most users.
Google has also backported the fix to Chrome for iOS and Android, though those versions have different versioning schemes. Check your respective app stores for updates.
Broader Implications for Browser Security
CVE-2026-13023 underscores a growing trend: attackers are increasingly targeting GPU components to bypass security measures. In 2025 alone, there were at least four other GPU-related vulnerabilities in Chromium-based browsers, including a high-severity out-of-bounds write in the V8 engine's GPU interface.
The move toward WebGPU and compute shaders has expanded the attack surface, as browsers now expose more GPU capabilities to web content. "Each new API is a new door for attackers," warns Katie Moussouris, CEO of Luta Security. "And the GPU is notoriously difficult to sandbox because it has direct access to system memory and interrupt handlers."
For Windows users, the integration of Chromium into everything from Edge to Electron apps means that a single vulnerability can have cascading effects. Microsoft has announced that it will incorporate Google's patch into its Edge browser within 24 hours, though users can manually check for updates by navigating to edge://settings/help.
Other Chromium-based browsers like Brave, Vivaldi, and Opera will also need to merge the fix. Users of those browsers should monitor their respective update channels closely.
What This Means for IT Administrators
IT departments must prioritize this patch. The combination of active exploitation and high severity means that delaying updates could expose entire organizations to credential theft or data exfiltration. Security information and event management (SIEM) tools should be configured to alert on endpoints running Chrome versions below 149.0.7827.197.
"We recommend treating this as a critical patch cycle," advises the Center for Internet Security (CIS) in its advisory. "Apply updates to all managed devices within 48 hours." For air-gapped systems, administrators should download the offline installer directly from Google's enterprise support page.
Microsoft has also updated its Defender for Endpoint to detect suspicious GPU read operations characteristic of this exploit. Enabling network detection and response (NDR) can help identify post-exploitation traffic even if the browser has not yet been patched.
The Discovery and Responsible Disclosure
Google credited the bug to a researcher using the alias "pixelfault" in its June 24 advisory. The researcher reported the flaw on May 2, 2026, giving Google seven weeks to develop and test a patch before public disclosure. The company paid a bounty of $15,000 under its Vulnerability Reward Program, which was increased by $5,000 due to the high-quality proof of concept provided.
The coordinated disclosure timeline was accelerated when Google's Threat Analysis Group (TAG) detected active exploitation against high-profile targets in the finance and government sectors. As a result, the patch was released two weeks earlier than planned, with the public CVE notice following on June 24.
Look Ahead: Future Protections
Google is working on longer-term mitigations for GPU vulnerabilities. These include stronger process isolation for GPU memory through virtual memory protection keys, and the adoption of SafeStack-like technologies inside the GPU command buffer code. The Chrome team has also proposed a new security feature called "Page-Level GPU Isolation" that would prevent cross-tab memory leaks even if a vulnerability is present.
In the meantime, users can reduce their exposure by disabling WebGL in sites that don't require it. Chrome's site isolation feature, which ensures that each tab runs in its own GPU process, can be forced on by enabling the chrome://flags/#enable-site-per-process flag. However, this comes with increased memory usage.
Conclusion
CVE-2026-13023 is a stark reminder that even mature software like Chrome requires constant vigilance. The active exploitation of this GPU memory disclosure flaw makes immediate patching non-negotiable. Chrome 149.0.7827.197 not only closes this dangerous vulnerability but also reinforces the need for a layered security approach that includes regular updates, endpoint detection, and user education.
As browsers become more powerful and web APIs grow, the attack surface will only expand. The responsibility falls on vendors to patch quickly, on administrators to deploy updates relentlessly, and on users to accept that that "Update your browser" prompt isn't just a suggestion—it's a defense against an ever-more sophisticated threat landscape.
Check your Chrome version now: if it's not 149.0.7827.197, update immediately.