CVE-2026-13796: Integer overflow in Chromecast in Google Chrome prior to 150
Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer overflow in the Chromecast component of Google Chrome before version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox. The vulnerability is reachable over the network and requires the victim to visit a crafted HTML page, but no authentication is needed. Successful exploitation gives the attacker full control outside the sandbox, including high-impact reads, writes, and disruption of the host environment. A patched-image rebuild at 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome or Chromium. Any image carrying a Chrome version below 150.0.7871.47 surfaces in the affected findings list automatically.
AvailableHarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine urgency and routing. The finding is dispatched to the appropriate team inbox within each customer organization based on configured ownership and policy rules.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard as soon as the fix version is resolvable in the affected image layers. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads without manual intervention.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network; the targeted Chrome instance must be reachable and the victim must navigate to an attacker-controlled page.
- AuthenticationNot required
No account or credential of any kind is required; the attacker interacts anonymously with the victim's browser.
- Victim interactionRequired
The victim must visit a crafted HTML page, making this a social-engineering vector where the attacker must lure or redirect the user.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special race conditions, memory-layout guessing, or other environmental prerequisites beyond the renderer compromise assumed in the description.
Blast Radius
- Reads sensitive data accessible to the Chrome process outside the sandbox, including stored credentials, session tokens, and local files.
- Writes or modifies data on the host filesystem and any resources the compromised process can reach.
- Crashes or disrupts the affected Chrome instance and any associated services on the host.
- Breaks out of the browser sandbox entirely, giving the attacker a foothold in the broader host environment with Chrome-level OS privileges.
How HarborGuard Handles This
Available on HarborGuard: for any image found to include Chrome below 150.0.7871.47, a rebuilt image pinned to the fix version (150.0.7871.47) is available immediately upon ingest. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that require manual approval, the finding is queued at Critical priority with full layer-level evidence so reviewers can act without additional research. As a compensating control before patching, network policy rules that restrict outbound renderer process communication and limit exposure to untrusted HTML sources reduce the practical exploitability of the sandbox escape.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H