Google has rushed out a fix for a dangerous use-after-free vulnerability in Chrome’s Cast Receiver component. The flaw, tracked as CVE-2026-13898, affects all Chrome versions before 150.0.7871.47 on Windows and could allow a remote attacker to execute code inside the browser’s sandbox, potentially leading to full system compromise when chained with a separate sandbox escape.

Google’s update is rolling out now via the browser’s automatic updater, and security experts are urging users and IT administrators to apply it immediately—the vulnerability is already under limited exploitation in the wild, according to Google’s advisory.

What Changed in Chrome 150.0.7871.47

The centerpiece of this release is a patch for CVE-2026-13898, a use-after-free bug in the Cast Receiver component. A use-after-free occurs when a program continues to reference a memory location after it has been freed, creating a window for attackers to inject malicious instructions. In this case, a remote attacker could craft a rogue Cast connection or lure a user to a specially crafted webpage to trigger the flaw, gaining the ability to execute arbitrary code within the confines of Chrome’s renderer process sandbox.

While the sandbox blocks direct access to the underlying operating system, it is not impenetrable. If an attacker pairs this exploit with a second—perhaps an unpatched operating system vulnerability or another Chrome sandbox escape—they could break out and compromise the entire Windows machine. Google has assigned a “High” severity rating to CVE-2026-13898, a common designation for flaws that allow code execution in a sandboxed process.

The update also patches 11 other security vulnerabilities, four of which are rated High, including a heap buffer overflow in WebGPU and an inappropriate implementation in the V8 JavaScript engine. Full details will be published on Google’s Chrome Release blog once a majority of users have received the fix.

How the Cast Receiver Vulnerability Works

Chrome’s Cast Receiver is the hidden module that allows your browser to be a casting target—for instance, when you mirror a tab from another device or stream content to your desktop. It parses incoming data streams and manages media playback instructions. Because it runs with elevated privileges inside Chrome’s sandbox, a use‑after‑free bug here lets an attacker seize control of the rendering process and potentially read or write data belonging to other open tabs.

To exploit the flaw, an attacker would typically set up a malicious sender device or convince a user to visit a website under their control. The page could then initiate a cast session and deliver a payload that corrupts memory in the Cast Receiver, leading to code execution. No user interaction is required beyond visiting the compromised page; the Cast Receiver is always active, ready to accept incoming connections.

Google has not publicly disclosed the exact method of exploitation, but the company confirmed in its advisory that “Google is aware that an exploit for CVE-2026-13898 exists in the wild.” Independent researchers credited with reporting the bug include members of the SSRF Security Team and an anonymous contributor.

Who Is Affected and What’s at Stake

Every Windows user running a Chrome version earlier than 150.0.7871.47 is vulnerable. That includes the stable channel, as well as any Extended Stable or Beta channel installations that have not been manually updated. While Chrome’s automatic update mechanism typically installs patches within days, many home users block updates or leave the browser running for weeks, leaving themselves exposed.

For everyday users, the main risk is a “drive-by” attack. Visiting a malicious website—perhaps one delivered through a phishing link or an ad network compromise—could let an attacker steal session cookies, inject malicious extensions, or install backdoors that persist even after Chrome is closed. Because the attack happens inside the sandbox, traditional antivirus tools may not flag it.

In enterprise environments, the danger is amplified. A compromised endpoint can serve as a foothold for lateral movement, especially if the attacker manages a full sandbox escape. IT teams should also be aware that other Chromium‑based browsers—including Microsoft Edge, Brave, and Opera—may incorporate the same vulnerable Cast Receiver code. Microsoft typically manages its own patches for Edge, but administrators should verify that all installed Chromium forks are updated.

Google’s Response and the Patch Timeline

Google patched the flaw in Chrome 150.0.7871.47, which began rolling out to the stable channel on Monday. The company did not provide an exact timeline for the vulnerability’s discovery, but security researchers often report such bugs through Google’s Vulnerability Reward Program (VRP). Under the program’s rules, Google has 90 days to fix a critical or high‑severity vulnerability before public disclosure.

The short turnaround suggests that CVE-2026-13898 was reported recently—possibly within the last two weeks—and triaged as an emergency because of its potential impact and the existence of an exploit. Google credited the reporters in its advisory but withheld technical details to give users time to patch.

In a related update, the Chrome Security Team noted that the upcoming Chrome 151 release will include additional hardening for the Cast subsystem, moving it further out of the critical renderer process and reducing its attack surface.

How We Got Here: Cast and Chromium Security

Chrome’s Cast functionality was introduced in 2013, initially as a separate extension. Over the years, it evolved into a deeply integrated feature, with the receiver component bundled directly into the browser. Despite its ubiquity, the Cast subsystem has had a relatively clean security record, with only a handful of high‑severity flaws reported since its inception.

That changed in 2025, when a series of Chromium imports led to a surge in WebRTC‑related vulnerabilities. Because the Cast Receiver shares code paths with WebRTC for peer‑to‑peer communications, bugs in one library often affect the other. Google responded by accelerating its transition to the newer Mojo‑based Cast protocol, but the older code paths remained active for backward compatibility.

CVE-2026-13898 is the highest‑profile warning to date that the legacy Cast implementation needs a thorough audit. Google has pledged to deprecate the old Cast transport layer entirely by Chrome version 152, but until then, users remain reliant on timely patches.

What to Do Now

For Everyday Users

  1. Update Chrome immediately. Click the three‑dot menu in the top‑right corner, go to Help > About Google Chrome. The browser will automatically download and install version 150.0.7871.47. Relaunch when prompted.
  2. Verify the version. After relaunch, navigate to chrome://settings/help and confirm that the displayed number is 150.0.7871.47 or higher.
  3. Enable automatic updates (if disabled). In the same settings page, ensure that “Automatically update Chrome for all users” is checked.
  4. Consider suspending the Cast feature until the transition to Mojo is complete. While not a permanent fix, you can disable the receiver by turning off the “Media Router” flag. Go to chrome://flags/#media-router and set it to “Disabled.” Note that this will break tab mirroring and some streaming services.

For IT Administrators

  • Deploy the updated MSI package across your organization immediately. The official enterprise bundle is available from the Chrome Enterprise download page.
  • Audit all managed endpoints for out‑of‑date Chrome versions. Use your endpoint detection and response (EDR) tool to flag any Chrome installation below 150.0.7871.47.
  • Verify that Group Policy settings still dictate automatic updates. The policy UpdatePolicyOverride should be set to “Always allow updates – recommended.”
  • If you must delay the rollout due to compatibility testing, isolate devices that cannot be updated from the broader network and apply a temporary block on inbound Cast traffic at the firewall level (usually WebRTC ports 8008‑8009 and high‑numbered UDP ports).
  • For Edge or other Chromium browsers, check for updates through the browser’s respective enterprise channels and apply patches as soon as they are available.

The Bigger Picture: Browser Sandboxing Under Siege

CVE-2026-13898 is a reminder that the browser sandbox is only as strong as its weakest link. While Chromium’s multi‑process architecture has dramatically raised the bar for attackers, legacy components like the Cast Receiver remain an attractive target because they bridge the gap between isolated web content and the underlying platform. Google’s long‑term plan is to rewrite Cast using memory‑safe languages like Rust, a project already underway for other parts of Chrome.

In the meantime, users should treat browser patches with the same urgency as operating system updates. Modern attacks increasingly chain multiple browser bugs, and the window between a fix and active exploitation is shrinking—sometimes to mere hours.

What’s Next

Google will release a technical post‑mortem on the Chrome Security Blog once most users have updated. The report is expected to detail how the use‑after‑free was triggered and what steps the company is taking to prevent similar issues in the new Mojo Cast implementation. Separately, the Chromium community is tracking a proposal to sandbox the Cast Receiver as a standalone service, further isolating it from critical browser logic.

For now, the immediate priority is to patch. Check your Chrome version now; if you see anything lower than 150.0.7871.47, stop what you’re doing and update.