CVE-2026-13785: Use after free in Bluetooth in Google Chrome on Mac prior to 150
Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Bluetooth component of Google Chrome on macOS affects all Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but the attacker must convince a user to perform specific UI gestures on a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker the ability to read sensitive data, modify files or data, and crash processes outside the Chrome renderer sandbox. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-13785 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle or pin a Chrome version. Images running any Chrome release below 150.0.7871.47 on macOS base layers are flagged automatically.
AvailableHarborGuard scores this CVE at 9.6 Critical (CVSS v3.1) and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied before routing findings to the appropriate team inbox inside each customer organization.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available in HarborGuard the moment the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target service or user must be reachable from an external or internet-facing network position.
- AuthenticationNot required
No account, session token, or credential of any kind is required before the attacker can attempt exploitation.
- Victim interactionRequired
The attacker must socially engineer the target user into visiting a crafted HTML page and performing specific UI gestures within the Chrome browser.
- Attack complexityDetail
The exploit is reliable and imposes no race-condition or memory-layout prerequisites on the attacker once the user completes the required gestures.
Blast Radius
- Attacker escapes the Chrome renderer sandbox and executes arbitrary code in a higher-privilege process on the macOS host.
- Confidential data accessible to the Chrome process (stored credentials, session cookies, browsing history) is exposed to the attacker.
- The attacker can write or modify files and data accessible to the compromised process outside the sandbox boundary.
- The attacker can crash the browser process or dependent system services, disrupting availability for the affected user.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome below version 150.0.7871.47 on macOS base layers are matched against this CVE within minutes of publication. Where compliance policy permits, HarborGuard generates a rebuilt image at the fixed version, runs a regression test pass, and opens a pull request against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes. For environments where auto-remediation is not enabled, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the fix version so engineers can act immediately. No interim workaround fully mitigates a sandbox-escape of this severity; upgrading to 150.0.7871.47 is the recommended resolution.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H