CVE-2026-13780: Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Insufficient input validation in ANGLE, the graphics abstraction layer embedded in Google Chrome, allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network and requires no authentication, though it does require a user to interact with a malicious page. Successful exploitation gives the attacker full read, write, and availability impact on the host, breaking out of the containment boundary that normally limits browser-based compromise. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13780 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL using the published CVSS v3.1 vector and weights it further against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any image found to include an affected Chrome or Chromium version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page, so the affected service must be reachable from an external or network-adjacent position.
- AuthenticationNot required
No account or credential is needed; any anonymous visitor to a malicious page can trigger the exploit.
- Victim interactionRequired
The victim must visit or be redirected to the attacker-controlled HTML page, making social engineering or a malicious ad/link a prerequisite.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other unpredictable environmental factors beyond a prior renderer compromise.
Blast Radius
- Attacker escapes the Chrome sandbox and gains code execution in the context of the browser process on the host operating system.
- Reads files, credentials, and session data accessible to the user running Chrome, including stored passwords and authentication tokens.
- Writes or modifies files on the host filesystem, enabling persistence mechanisms or tampering with local data.
- Crashes or destabilizes the browser and potentially host-level services, causing service disruption beyond the browser sandbox.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome versions below 150.0.7871.47 are flagged as soon as the CVE enters the ingest pipeline, typically within minutes of publication. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, runs a regression test suite, and opens a pull request against the affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a detailed finding report are staged and waiting for review. Because this vulnerability involves a sandbox escape with full host-level impact, HarborGuard strongly recommends treating any unpatched image bundling Chrome as a critical deployment blocker until the upgrade is confirmed merged and deployed.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H