HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13776Published Modified CNA Chrome

CVE-2026-13776: Type Confusion in Dawn in Google Chrome prior to 150

Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A type confusion vulnerability in Dawn, the WebGPU implementation inside Google Chrome, allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox via a crafted HTML page. The attack is reachable over the network and requires no authentication, though the victim must visit a malicious page. Successful exploitation gives the attacker full read, write, and availability impact outside the browser sandbox, effectively achieving code execution at the host level. A patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-13776 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium as a dependency.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and surfaces it with that severity weighting in each customer's triage queue; per-environment compliance policy rules can escalate or re-route the finding to the appropriate team inbox based on asset classification and policy thresholds.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable through normal browser traffic.

  • AuthenticationNot required

    No account or credential of any kind is required; any unauthenticated user who visits the malicious page is a valid target.

  • Victim interactionRequired

    The victim must open a crafted HTML page in an affected version of Chrome, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the attacker having already compromised the renderer process.

Blast Radius

  • Reads any data accessible to the browser process and the underlying OS user account, including stored credentials, cookies, and session tokens.
  • Writes or modifies files and OS-level resources outside the browser sandbox, enabling persistence or further lateral movement.
  • Crashes or destabilizes the host process or dependent services, disrupting availability beyond the browser tab.
  • Because the scope is Changed (S:C in the CVSS vector), impact extends beyond the sandboxed renderer to the host environment, multiplying the effective blast radius.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome versions below 150.0.7871.47 are flagged automatically as soon as the CVE is ingested, typically within minutes of publication. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who manage remediation manually, the CVE appears in the triage queue with its full CVSS 9.6 Critical score and a direct pointer to the 150.0.7871.47 fix version. Given the sandbox-escape nature of this vulnerability and the Changed scope indicator, teams that cannot patch immediately should consider network-policy controls that restrict which hosts can serve content to Chrome instances running in containerized environments, and should audit whether internal tooling images bundle an affected Chromium build.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H