CVE-2026-13775: Use after free in GPU in Google Chrome prior to 150
Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the GPU component of Google Chrome prior to version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network and requires no authentication, though the victim must visit or be redirected to a malicious page. Successful exploitation gives the attacker code execution outside the sandbox, with full read, write, and availability impact on the host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13775 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL using the published CVSS v3.1 vector, and triage is available with per-environment compliance policy weighting applied automatically. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable by the victim browsing to an attacker-controlled or compromised web page.
- AuthenticationNot required
No credentials or account privileges are required; any user browsing to the malicious page is a viable target.
- Victim interactionRequired
The victim must visit or be directed to a crafted HTML page, making this a social-engineering or drive-by-style delivery.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors beyond the renderer-process compromise prerequisite.
Blast Radius
- The attacker escapes the Chrome sandbox and gains code execution in the context of the host process, breaking the primary isolation boundary Chrome relies on.
- With sandbox escape achieved, the attacker reads files, credentials, and session tokens accessible to the browser process on the host.
- The attacker writes or modifies files on disk and can persist malicious code or tamper with locally stored data.
- The attacker disrupts or terminates host-level processes, causing service or system instability on the affected machine.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13775 activates within minutes of the advisory being published and covers every customer image that packages a Chrome or Chromium binary, including internally built images. For environments where an affected version is identified, a rebuilt image at Chrome 150.0.7871.47 is made available. For customers who have opted into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is queued with CRITICAL priority and routed to the designated team inbox for review. Given the severity and the sandbox-escape impact, teams not yet on auto-remediation should treat this as a priority manual update.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H