Chrome 130+ WebRTC Changes in 2026: PQC, HEVC, and Encoder Resolution APIs

Chrome 130-147 quietly rewired WebRTC: ML-KEM post-quantum key agreement, HEVC platform encode, scaled-input encoder constraints, and a CVE-2026-7336 use-after-free fix. Voice AI implications inside.

The change

Three Chrome milestones matter for any team running browser-side voice in 2026. First, Chrome 131 switched the WebRTC key encapsulation mechanism to the final ML-KEM standard for post-quantum key agreement on Linux/macOS/Windows; the WebRtcPostQuantumKeyAgreement enterprise policy lets admins opt out, but it is scheduled for removal in Chrome 152. Second, Chrome 130 added HEVC platform encoding to WebCodecs and exposed it through MediaCapabilities — HEVC now joins VP8, H.264, VP9, and AV1 as a first-class WebRTC codec. Third, Chrome 131 added an encoder API that scales input frames against absolute maxWidth/maxHeight constraints (e.g. 640x360) instead of relative fractions, finally giving voice-AI apps a deterministic upper bound on encode cost. And Chrome 147.0.7727.137 patched CVE-2026-7336, a WebRTC use-after-free that earned a critical CVSS — every fleet should be on 7727.138 or later.

What it unlocks

PQC matters even for voice that lives milliseconds: an attacker recording DTLS handshakes today plans to crack them with a CRQC tomorrow ("Harvest Now, Decrypt Later"). ML-KEM kills that economic model for any Chrome-to-Chrome session. HEVC unlocks 50%+ bitrate savings on agent-side video previews, which matters when a call center streams 200 concurrent supervisor screens. Absolute encoder constraints solve a real bug — Chrome used to round-trip resolution through getUserMedia constraints, and a fast laptop with a 4K webcam would silently encode 4K and tank your egress bill. Now you can pin the encoder.

flowchart TD
  A[Chrome 130] --> B[HEVC platform encode in WebCodecs]
  C[Chrome 131] --> D[ML-KEM PQC key agreement default]
  C --> E[Encoder maxWidth/maxHeight absolute]
  F[Chrome 147.0.7727.138] --> G[CVE-2026-7336 UAF fixed]
  D --> H[Harvest-now-decrypt-later mitigated]
  B --> I[50% bitrate cut for agent video]
  E --> J[Predictable egress costs]

CallSphere context

CallSphere runs 37 agents · 90+ tools · 115+ tables · 6 verticals · HIPAA + SOC 2 aligned. Our supervisor dashboard pins encoder maxWidth=1280, maxHeight=720 since Chrome 131 — egress dropped 38% on the Real Estate OneRoof Pion Go gateway 1.23 flow because realtors on 4K MacBooks no longer broadcast 4K previews to NATS. PQC is on by default for every WebRTC session; we removed the policy override in our admin Chrome image after Chrome 140. Plans $149 / $499 / $1,499, 14-day trial, 22% affiliate Year 1.

Migration steps

1. Pin Chrome ESR or Stable >= 147.0.7727.138 across your fleet (CVE-2026-7336)
2. Set explicit scaleResolutionDownTo: { maxWidth, maxHeight } on every RTCRtpSender encoding
3. Probe HEVC via navigator.mediaCapabilities.encodingInfo({ type: 'webrtc', video: { contentType: 'video/hev1.1.6.L93.B0' }})
4. Leave WebRtcPostQuantumKeyAgreement at default (Enabled) — only disable for hardware that fails ML-KEM negotiation
5. Add a chromestatus.com RSS check in your weekly platform-engineering review

FAQ

Will PQC break my old TURN server? No — DTLS-SRTP runs end-to-end browser-to-browser. TURN just relays bytes.

HEVC patent royalties? Chrome's platform encoder uses the OS HEVC stack; royalties are bundled with the OS license. Your app pays nothing extra.

Why absolute resolution constraints now? Encoder cost was unpredictable. Absolute caps let you do capacity planning without simulating every camera.

Is VP9 deprecated? No. AV1 is the long-term roadmap, but VP9 stays in for 5+ years.

Sources

• Chrome for Developers - Chrome 131 release notes - https://developer.chrome.com/release-notes/131
• WebRTC.org - Chrome Release Notes - https://webrtc.github.io/webrtc-org/release-notes/
• Windows News - Chrome 147 patches CVE-2026-7336 WebRTC UAF - https://windowsnews.ai/article/google-chrome-14707727137138-patches-cve-2026-7336-webrtc-use-after-free-a-critical-update-guide-for.416106
• Chromium - WebRTC release notes - https://chromium.googlesource.com/external/webrtc/+/master/docs/release-notes.md

Chrome 130+ WebRTC Changes in 2026: PQC, HEVC, and Encoder Resolution APIs: production view

Chrome 130+ WebRTC Changes in 2026: PQC, HEVC, and Encoder Resolution APIs usually starts as an architecture diagram, then collides with reality the first week of pilot. You discover that vector store choice (ChromaDB vs. Postgres pgvector vs. managed) is not really a vector store choice — it's a latency, freshness, and ops choice. Picking wrong forces a re-platform six months in, exactly when you have customers depending on it.

Shipping the agent to production

Production AI agents live or die on three loops: evals, retries, and handoff state. CallSphere runs 37 agents across 6 verticals, each with its own eval suite — synthetic call transcripts replayed nightly with assertion checks on extracted entities (date, time, party size, insurance, address). Without that loop, prompt regressions ship silently and you only find out when bookings drop.

Structured tools beat free-form text every time. Our 90+ function tools all enforce JSON schemas validated server-side; if the model hallucinates an integer where a string is required, we retry with a corrective system message before falling back to a deterministic path. For long-running flows, we treat agent handoffs as a state machine — booking → confirmation → SMS — so context survives turn boundaries.

The Realtime API vs. async decision usually comes down to "is the user holding the phone right now?" If yes, Realtime; if no (callback queue, after-hours voicemail), async wins on cost-per-conversation, which we track per agent in 115+ database tables spanning all 6 verticals.

FAQ

Is this realistic for a small business, or is it enterprise-only? The healthcare stack is a concrete example: FastAPI + OpenAI Realtime API + NestJS + Prisma + Postgres healthcare_voice schema + Twilio voice + AWS SES + JWT auth, all SOC 2 / HIPAA aligned. For a topic like "Chrome 130+ WebRTC Changes in 2026: PQC, HEVC, and Encoder Resolution APIs", that means you're not starting from scratch — you're configuring an agent template that's already been hardened across thousands of conversations.

Which integrations have to be in place before launch? Day one is integration mapping (scheduler, CRM, messaging) and prompt tuning against your top 20 real call transcripts. Day two through five is shadow-mode running, where the agent transcribes and recommends but a human still answers, so you can compare side-by-side. Go-live is the moment your eval pass-rate clears your internal bar.

How do we measure whether it's actually working? The honest answer: it scales until your tool catalog gets stale. The agent is only as good as the integrations it can actually call, so the operational discipline is keeping schemas, webhooks, and fallback paths green. The platform handles the rest — observability, retries, multi-region routing — without your team owning the GPU layer.

Talk to us

Want to see how this maps to your stack? Book a live walkthrough at calendly.com/sagar-callsphere/new-meeting, or try the vertical-specific demo at realestate.callsphere.tech. 14-day trial, no credit card, pilot live in 3–5 business days.