CVE-2026-13782: Use after free in Browser in Google Chrome prior to 150
Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in Google Chrome's browser process (versions prior to 150.0.7871.47) allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network and requires the victim to visit a malicious or attacker-controlled page, but no authentication is needed. Successful exploitation gives the attacker full code execution outside the sandbox, enabling read and write access to the host system and the ability to crash or disrupt the browser entirely. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-13782 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle a Chrome or Chromium binary. Any image in a customer registry or CI pipeline running a Chrome version below 150.0.7871.47 is flagged automatically.
AvailableHarborGuard scores this CVE at 9.6 Critical using the published CVSS v3.1 vector, and per-environment compliance policy weighting can escalate or suppress the alert priority based on each organization's risk profile. Triage findings are routed to the inbox configured for the affected workload owner within each customer org, so the right team sees it without manual filtering.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard once the upstream fix is confirmed, ready to replace any affected base or application image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against the affected workload automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote host, meaning the Chrome browser must be able to make outbound connections to attacker-controlled infrastructure.
- AuthenticationNot required
No account, credential, or prior session is needed; any unauthenticated remote party can deliver the malicious page.
- Victim interactionRequired
The victim must navigate to or be redirected to the attacker-controlled HTML page, making this a social-engineering vector requiring at least one user action such as clicking a link.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and imposes no special race-condition, memory-layout, or environmental precondition beyond the renderer compromise that is the stated starting point.
Blast Radius
- Attacker escapes the Chrome sandbox and executes arbitrary code in the context of the browser process on the host operating system.
- With sandbox escape achieved, the attacker reads files, stored credentials, cookies, and session tokens accessible to the browser process user.
- The attacker writes or modifies files on the host, installs persistent payloads, or alters browser profile data.
- The browser process can be crashed or terminated, disrupting service for the affected user session.
How HarborGuard Handles This
Available on HarborGuard: any image containing a Chrome binary below version 150.0.7871.47 is flagged as soon as the CVE is ingested, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image against Chrome 150.0.7871.47, executes a regression run, and opens a pull request against the affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation requires manual approval, the rebuilt image and PR are staged and waiting for a single reviewer action. Given the critical severity and sandbox-escape impact, teams that cannot immediately redeploy the patched image should consider network-policy controls that restrict which hosts the browser process can reach, reducing the attacker's ability to serve the crafted page to at-risk users.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H