CVE-2026-13781: Insufficient validation of untrusted input in Skia in Google Chrome prior to 150
Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a sandbox escape vulnerability in the Skia graphics library used by Google Chrome versions prior to 150.0.7871.47. A remote attacker who has already compromised the Chrome renderer process can exploit insufficient input validation by serving a crafted HTML page to a victim, breaking out of the browser sandbox entirely. Successful exploitation gives the attacker full code execution outside the browser sandbox, enabling read and write access to the host system and potential denial of service. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection capability for CVE-2026-13781 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images, within minutes of ingestion from upstream feeds. Any container image embedding a Chrome binary earlier than 150.0.7871.47 is flagged automatically in both registry scans and CI pipeline checks.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL using the CVSS v3.1 vector and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage results are delivered to the inbox configured for the affected workload owner inside each customer org, ensuring the right team sees it without manual triage overhead.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available in HarborGuard as soon as the fix version is confirmed against the upstream advisory. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against every affected workload, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's browser over the network, typically by serving a crafted HTML page from a remote host.
- AuthenticationNot required
No account or credentials on the targeted system are needed; the attack is launched against any user who visits the malicious page.
- Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, making this a social-engineering or drive-by scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, though it does presuppose a prior renderer compromise.
Blast Radius
- Attacker breaks out of the Chrome browser sandbox, gaining code execution in the context of the host OS user running Chrome.
- Confidential data accessible to that OS user, including session tokens, credentials stored on disk, and local files, becomes readable.
- The attacker can write or modify files on the host filesystem, including configuration files and application data.
- The host process or dependent services can be crashed or made unavailable, disrupting the user's workload.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13781 runs against every scanned image at ingestion time, flagging any image that bundles Chrome earlier than 150.0.7871.47 with a CRITICAL severity alert. For customers with auto-remediation enabled, HarborGuard queues a rebuild at the patched version, executes regression tests, and opens a PR against affected workloads; for critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval before remediation, the finding is surfaced in the customer's triage queue with CVSS scoring and policy weighting applied so reviewers can act immediately. For environments that cannot update immediately, consider isolating Chrome-based workloads behind a network policy that restricts inbound HTML rendering paths and apply egress filtering to limit attacker-controlled content delivery until the patched rebuild is deployed.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H