CVE-2026-13783: Use after free in Views in Google Chrome prior to 150
Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Views component of Google Chrome prior to version 150.0.7871.47. The flaw is reachable over the network and requires no authentication, though a victim must be persuaded to perform specific UI gestures on a crafted HTML page. Successful exploitation corrupts heap memory and gives the attacker full read, write, and crash capabilities in the browser process, enabling data theft, content tampering, and denial of service. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13783 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome binary.
AvailableHarborGuard scores this CVE at 9.6 CVSS v3.1 (Critical) and surfaces it accordingly in each customer environment, with per-environment compliance policy weighting applied to route the finding to the right team or inbox inside the customer org.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for any image found to bundle an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be able to reach attacker-controlled content on the internet or local network.
- AuthenticationNot required
No account, session, or credential of any kind is required; the attack is launched through an ordinary unauthenticated web page.
- Victim interactionRequired
The attacker must convince the victim to visit the crafted page and perform specific UI gestures, making social engineering a prerequisite for exploitation.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other hard-to-control environmental factors.
Blast Radius
- A successful attacker gains the ability to read browser memory contents, including stored session tokens, saved credentials, and page data from other origins.
- The attacker can write to heap memory, allowing modification of in-flight web content or browser state.
- The heap corruption can be leveraged to crash the Chrome renderer or browser process, causing a denial of service for the affected user.
- Because the CVSS scope is Changed, the exploit can break out of the renderer sandbox and affect resources beyond the originating browser context.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome versions below 150.0.7871.47 are flagged as Critical the moment the CVE enters the ingestion feed. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, executes the configured regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured team inbox with full CVSS detail and a direct reference to the fix version so engineers can act immediately. Where compliance policy permits network-policy controls as a compensating measure prior to patching, isolating browser-running workloads from arbitrary outbound internet access reduces the surface available to deliver the crafted HTML page.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H