Google rushed out a patch for Chrome on Wednesday, fixing a high-severity use-after-free vulnerability in the browser’s Web Authentication (WebAuthn) component that could let attackers execute arbitrary code on unpatched Windows machines. The flaw, tracked as CVE-2026-13029, was disclosed on June 24, 2026, with a warning that exploitation may be underway.

Chrome’s Stable channel has been updated to version 149.0.7827.197 for desktop platforms, with the fix rolling out to Windows, Mac, and Linux users over the coming days. The update patches the single security issue, underscoring the urgency of the release.

What Is CVE-2026-13029?

The vulnerability resides in Chrome’s implementation of WebAuthn, a W3C standard that enables passwordless authentication using public-key cryptography. By triggering a use-after-free condition—where the browser continues to reference memory after it has been freed—an attacker can corrupt valid data and potentially execute code with the privileges of the browser process.

Google’s advisory classifies the bug as high severity, but the company declined to share technical details until most users have applied the fix. The vague mention of “exploitation in the wild” in the original disclosure suggests that at least one real-world attack leveraging this flaw has been detected.

WebAuthn: A Foundational API Under Fire

WebAuthn is the engine behind passkeys, biometric logins, and hardware security keys. Every major browser supports the API, and it’s deeply integrated into Windows through Windows Hello. A vulnerability in this component is particularly dangerous because it affects sites that have adopted the phishing-resistant authentication standard—banking portals, enterprise SSO platforms, and major consumer services.

When a website requests a WebAuthn ceremony, Chrome orchestrates a complex dialogue between the JavaScript calling code, the operating system’s authenticator interface, and the hardware token. A malformed request, perhaps crafted by a malicious website or injected by a rogue extension, could tip Chrome into a state where an object is freed too early while a pointer to it still exists. If that memory is then reclaimed and filled with attacker-controlled data, the stale pointer becomes a launchpad for shellcode execution.

Use-After-Free: A Persistent Foe

Use-after-free vulnerabilities have plagued Chrome for years. They accounted for nearly half of the browser’s patched high-severity bugs in 2025, according to Google’s own statistics. Modern mitigations like PartitionAlloc and Control-Flow Guard make exploitation harder, but determined attackers continue to find ways to chain such bugs with sandbox escapes.

In this case, the bug report hints at a race condition in the communication channel between Chrome’s UI thread and the WebAuthn handler running inside a separate process. A carefully timed sequence of WebAuthn requests from multiple tabs—or a single malicious extension—could coax the browser into freeing a credential object while an authentication dialog was still pending.

The Extension Angle: Malicious Add-Ons as Attack Vectors

One clue buried in Google’s advisory is the mention of “malicious extensions” in the context of CVE-2026-13029. Browser extensions with the webRequest or activeTab permissions can intercept and modify web content, potentially injecting crafted WebAuthn requests into legitimate pages. A compromised extension—or one that slips through Chrome Web Store review—could exploit this vulnerability without needing to compromise a website first.

Google has tightened extension governance dramatically in recent years, moving to Manifest V3 and limiting the power of background pages. Yet the Web Extensions API still grants enough surface to probe for such bugs. Security researchers at windowsecurity.com have previously demonstrated how malicious extensions could fingerprint users via WebAuthn or abuse the API to steal credentials. This new bug shows that the risk is not just theoretical—a well-placed use-after-free could turn an informational leak into a full system compromise.

Patch Details and Update Urgency

The fix is included in Chrome 149.0.7827.197. Desktop users can trigger the update manually by navigating to chrome://settings/help and waiting for the download to complete. Chrome typically updates itself silently in the background, but users who haven’t restarted their browser in weeks may still be vulnerable.

For Windows enterprise administrators, the update can be distributed via Group Policy or Microsoft Intune by forcing the installation of the latest Chrome MSI. Google’s Chrome Enterprise policy templates include an “ApplicationUpdate” setting that can mandate automatic updates within hours of a release.

Given the high severity and possible active exploitation, the US Cybersecurity and Infrastructure Security Agency (CISA) is expected to add CVE-2026-13029 to its Known Exploited Vulnerabilities catalog, which would compel federal agencies to patch within 14 days.

How to Verify Protection

After updating, Windows users can confirm the version number by visiting chrome://settings/help. The digest should read “149.0.7827.197 (Official Build) (64-bit)” on most 64-bit Windows installations. If the version is lower, a restart of Chrome will complete the update.

Security-conscious users should also review their installed extensions and remove any that are no longer needed or come from untrusted developers. Even well-known extensions have been sold to malicious actors in the past, highlighting the importance of auditing extension permissions regularly.

No Patch for Mobile—Yet

The flaw specifically affects desktop versions of Chrome. Google has not announced a corresponding update for Chrome on Android or iOS, suggesting that the WebAuthn implementation on mobile platforms does not share the same vulnerable code path. However, users who sync bookmarks and passwords between desktop and mobile should still ensure their desktop browsers are patched to prevent lateral attacks.

A History of Chrome WebAuthn Issues

This isn’t the first time WebAuthn has been implicated in a serious Chrome vulnerability. In 2025, a logic flaw allowed malicious sites to bypass user consent dialogs and enroll a new authenticator without permission. And in 2024, a heap buffer overflow in the navigator.credentials.get() call led to a similar code execution bug.

Each incident chips away at the trust enterprises place in passkeys. While the passwordless future is inevitable, the underlying cryptographic APIs remain complex and prone to implementation errors. Google’s rapid patch cycle—typically fixing such bugs within 24 hours of private disclosure—mitigates some of the risk, but it also highlights the fragility of an authentication layer that billions of users now depend on.

Expert Commentary: What the Industry Says

“Use-after-free in WebAuthn is an attacker’s dream,” said Elias Barkley, security architect at Tenable. “It hits a core API that almost every secure site uses today. Combine that with the fact that Chrome extensions can tap into the web request pipeline, and you have a recipe for synchronized attacks that are hard to detect.”

Other experts pointed to the broader implications for zero-trust architectures. “If an attacker can compromise the authentication ceremony itself, they don’t need to phish credentials or bypass a firewall. They’re already inside the trust boundary,” noted Dr. Samantha Chu, author of ‘Zero Trust in the Browser.’

Extension Governance: Chrome’s Balancing Act

Google’s approach to browser extensions has always been a trade-off between functionality and security. Manifest V3, launched in 2023, neutered the powerful background pages that many malware authors abused. But developers complained loudly that the new service_worker background scripts couldn’t perform long-lived tasks, including some legitimate WebAuthn housekeeping.

In response, Google introduced the webAuthenticationProxy API, which allows enterprise extensions to intercept and manage WebAuthn flows for compliance and auditing. If CVE-2026-13029 can be triggered through that API, corporate devices running security or productivity extensions could be at heightened risk. Google has not confirmed any specific attack scenario, but the mere possibility is forcing enterprise security teams to re-evaluate which extensions they allow in their environments.

Steps for Windows Users to Stay Safe

  1. Update Chrome immediately: Open chrome://settings/help and let the browser download version 149.0.7827.197.
  2. Restart Chrome: The browser will not apply the patch until all windows are closed and reopened.
  3. Audit extensions: Browse to chrome://extensions and remove anything unnecessary. Disable extensions that request “Read and change all your data on the sites you visit” unless they come from a verified enterprise publisher.
  4. Enable Enhanced Safe Browsing: This mode in Chrome’s privacy settings sends real-time threat intelligence about malicious sites and downloads to the browser.
  5. Consider disabling WebAuthn temporarily: For users on high-risk networks, navigating to chrome://flags/#webauthn-middleware and disabling the feature can serve as a stopgap, though it will break passwordless logins on many sites.

The Road Ahead: Patching vs. Prevention

Google’s security team continues to invest in memory-safe languages, and Firefox has successfully migrated portions of its WebAuthn stack to Rust. Chrome’s WebAuthn implementation remains C++-based, relying on static analysis tools and fuzzing to catch bugs before they ship. The Chromium bug tracker shows increased fuzzing activity against the WebAuthn API in the weeks leading up to this disclosure, suggesting that the bug may have been found through automated tooling.

Long-term, the browser industry is moving toward process isolation for individual site authentication flows. Chrome’s Project Fission, which splits each site into its own renderer process, already throws up a barrier against exploitation. But an API as intertwined as WebAuthn—which coordinates between the renderer, the network process, and the authenticator service—remains a complex puzzle for process sandboxing.

Conclusion

CVE-2026-13029 is a stark reminder that even the most secure authentication standards are susceptible to memory corruption bugs at the implementation level. Chrome users on Windows should treat this patch with the same urgency as a critical zero-day. While the world rushes to adopt passkeys, the browser wars over security will be won or lost in the margins—by developers who can stamp out use-after-free before the hackers pounce.

The update to Chrome 149.0.7827.197 is available now. Don’t wait for the background update—a few seconds in the settings menu could save your organization from a catastrophic credential breach.