CVE-2026-13784: Use after free in Views in Google Chrome prior to 150
Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability exists in the Views component of Google Chrome prior to version 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but an attacker must convince a victim to perform specific UI gestures on a crafted HTML page; successful exploitation causes heap corruption that gives the attacker high-confidence read and write access to process memory and can crash the browser, enabling remote code execution. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13784 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL using the published CVSS v3.1 vector and weights that score against each environment's compliance policy to determine routing priority; findings are delivered to the team inbox configured for the affected workload within the customer org.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be able to reach attacker-controlled web content.
- AuthenticationNot required
No account or credential is needed; any user who visits the malicious page is a viable target.
- Victim interactionRequired
The attacker must socially engineer the victim into performing specific UI gestures (such as clicks or drags) on the crafted page to trigger the use-after-free condition.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other unpredictable environmental factors once the victim completes the required gestures.
Blast Radius
- Reads arbitrary process memory, exposing session tokens, saved credentials, and page content from the compromised renderer.
- Writes to freed heap memory, enabling an attacker to corrupt browser internals and achieve remote code execution in the renderer process.
- With the Changed scope (S:C) flag in the CVSS vector, impact can break out of the renderer sandbox and affect the host browser process or other browser components.
- Crashes the affected Chrome instance, causing a denial of service for the user.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13784 is active across customer registries and pipelines the moment the advisory is ingested, covering any image that bundles a Chrome or Chromium binary below 150.0.7871.47. Where compliance policy permits, HarborGuard can trigger an automated rebuild at the fixed version, run regression tests against the rebuilt image, and open a pull request against affected workloads; for environments with auto-remediation enabled, median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes. Customers who have not enabled auto-remediation will see the CVE surfaced in their HarborGuard dashboard with severity, affected image list, and the recommended fix version, allowing manual promotion of the patched image on their own schedule.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H