CVE-2026-13792: Use after free in Touchbar in Google Chrome on Mac prior to 150
Use after free in Touchbar in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Touchbar component of Google Chrome on macOS affects all Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network without any authentication, but requires a user to visit a specially crafted HTML page. Successful exploitation allows a remote attacker to escape the browser sandbox and gain the ability to read sensitive data, modify files, and crash or take control of the affected system. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-13792 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on macOS base layers. Any image carrying a Chrome version below 150.0.7871.47 is flagged automatically.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and weights it against each customer organization's compliance policy to determine routing priority. Triage alerts are directed to the appropriate team inbox within each customer org based on their configured ownership rules.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available on HarborGuard the moment the fix version is confirmed in the upstream feed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the target to a crafted HTML page, so the Chrome instance must be reachable via normal web browsing.
- AuthenticationNot required
No account or credential is needed; the attacker only needs to get the target to load a URL.
- Victim interactionRequired
The user must visit an attacker-controlled or compromised web page, making this a social-engineering or malicious-ad delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites beyond the victim loading the page.
Blast Radius
- Attacker escapes the Chrome renderer sandbox and gains code execution in the browser process, breaking the primary isolation boundary between web content and the host OS.
- Confidential data accessible to the browser (stored credentials, session cookies, locally cached files) becomes readable to the attacker.
- The attacker can write or modify files on the host filesystem with the permissions of the Chrome process user.
- The affected Chrome process can be crashed or hijacked, disrupting the user's session and any dependent services.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome below 150.0.7871.47 are flagged as CRITICAL the moment CVE-2026-13792 enters the ingestion pipeline, typically within minutes of upstream publication. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at Chrome 150.0.7871.47, runs a regression test pass, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a full diff are staged and waiting for reviewer sign-off. Because this is a sandbox-escape class vulnerability with a CVSS score of 9.6, customers who cannot immediately rebuild are advised to apply network-policy controls that restrict which internal users or services can reach external URLs through Chrome-based tooling, as a compensating control until the patched image is deployed.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H