CVE-2026-13789: Use after free in GPU in Google Chrome prior to 150
Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the GPU component of Google Chrome (versions prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox via a crafted HTML page. The attack is initiated over the network and requires the victim to visit or interact with a malicious page, but no authentication is needed. Successful exploitation gives the attacker full read, write, and execution capability outside the browser sandbox, effectively compromising the underlying host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13789 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. This matching covers custom-built images that bundle or depend on an affected Chrome version, not just upstream base images.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.6 (Critical) and weighting that score against each environment's compliance policy to determine priority. Triage alerts can be routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim's browser fetches attacker-controlled content from a remote origin.
- AuthenticationNot required
No account or credential is required; any unauthenticated remote attacker can serve the malicious page.
- Victim interactionRequired
The victim must visit or otherwise load the attacker's crafted HTML page, making this a social-engineering or drive-by-download scenario.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions beyond the renderer compromise already assumed by the vulnerability.
Blast Radius
- An attacker who escapes the sandbox gains code execution in the context of the browser process, outside Chrome's isolation boundary, with access to the host OS.
- Confidentiality impact is High: the attacker can read files, credentials, session tokens, and other data accessible to the user running Chrome.
- Integrity impact is High: the attacker can write to the filesystem, modify persisted application data, or install persistent malware.
- Availability impact is High: the attacker can crash or terminate processes, corrupt data, or render the affected system unusable.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13789 is active across all connected registries and pipelines, matching any image that bundles a Chrome version below 150.0.7871.47. Given the Critical (9.6) severity and the sandbox-escape impact, this CVE is surfaced at the highest priority tier. A patched rebuild at Chrome 150.0.7871.47 is available for affected images. For customers who opt into auto-remediation, HarborGuard performs the image rebuild, executes regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and full diff are staged and held for reviewer sign-off. Customers who cannot immediately redeploy should consider network-policy controls that restrict which origins Chrome instances within their containers can fetch from, reducing the drive-by-download surface until the patched image is promoted.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H