External risk intelligence

Chrome Bluetooth Use After Free Sandbox Escape

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-13785

The vulnerability resides in the client-side browser application and requires a user to perform specific UI gestures on a crafted HTML page. It is not an internet-facing service, API, or edge gateway, but rather a client-side execution path that is not typically exposed as a network-reachable service.

Use After Free

Google Chrome

before 150.0.7871.47

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Google Chrome for Mac that could allow a remote attacker to escape the browser's sandbox. This is achieved through a user being tricked into interacting with a specially crafted web page, potentially leading to significant compromise.

  • Flaw in Chrome's Bluetooth could allow attackers to escape the sandbox.
  • Leaders should remember it impacts widely used browser technology.
  • Confirm relevance and exposure for affected systems.

Attack Path

How an attacker could exploit the issue

A remote attacker can trick a user into interacting with a malicious webpage containing specific user interface gestures. This interaction could allow the attacker to escape the browser's sandbox, potentially leading to system compromise.

  • Requires user interaction with malicious page.
  • Triggered by specific UI gestures on crafted page.
  • Risk of sandbox escape and system compromise.

Live Threat

Current exploitation, exposure, and threat context

A use-after-free vulnerability in Chrome's Bluetooth component could allow a remote attacker to escape the browser's sandbox. This could occur when a user interacts with a specially crafted HTML page.

  • System data on the user's Mac.
  • Remote attacker engages user.
  • Potential sandbox escape.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical vulnerability in Google Chrome requires user interaction and can lead to a sandbox escape. Responsibility for addressing this typically falls to teams managing end-user computing or application deployments, such as IT operations, endpoint security, or desktop support. The immediate priority is to identify all affected Chrome instances, assess their business criticality and user impact, and then plan remediation, likely involving coordination with end-users to ensure updates are applied.

  • Endpoint or application owners should own.
  • Verify user exposure and exploitability.
  • Plan user-impacted remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Google Chrome on macOS?

Google Chrome is a web browser used for accessing online applications and websites. On macOS, it relies on the operating system's security features to manage hardware resources, including Bluetooth connectivity, which allows the browser to communicate with nearby wireless peripherals.

What does CVE-2026-13785 mean by use-after-free?

This is a memory management error, specifically CWE-416. It occurs when software continues to use a memory location after that memory has been cleared or released. If an attacker can manipulate this process, they may be able to run unauthorized code or bypass security protections, such as the browser's sandbox.

How is this Bluetooth vulnerability triggered?

The flaw requires a user to visit a specially crafted web page and perform specific UI gestures. It does not trigger simply by browsing a site or having Bluetooth enabled; the attacker must convince the user to interact with the malicious page in a particular way to initiate the flawed code path.

Is my Mac at risk according to Halo Surface Signal?

Halo Surface Signal indicates this is a client-side browser issue rather than an internet-facing service or server-side API. Because it requires targeted user interaction on a specific web page, it is not an automated network threat, making it less likely to be triggered by passive exposure.

Do I need to update Chrome to fix CVE-2026-13785?

Yes. To resolve the risk, ensure your browser is updated to version 150.0.7871.47 or later. Since this vulnerability affects end-user software, IT or desktop support teams should coordinate to verify that all Chrome instances on managed macOS devices are running the patched version.

References