HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13796Published Modified CNA Chrome

CVE-2026-13796: Integer overflow in Chromecast in Google Chrome prior to 150

Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer overflow in the Chromecast component of Google Chrome before version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox. The vulnerability is reachable over the network and requires the victim to visit a crafted HTML page, but no authentication is needed. Successful exploitation gives the attacker full control outside the sandbox, including high-impact reads, writes, and disruption of the host environment. A patched-image rebuild at 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome or Chromium. Any image carrying a Chrome version below 150.0.7871.47 surfaces in the affected findings list automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine urgency and routing. The finding is dispatched to the appropriate team inbox within each customer organization based on configured ownership and policy rules.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard as soon as the fix version is resolvable in the affected image layers. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network; the targeted Chrome instance must be reachable and the victim must navigate to an attacker-controlled page.

  • AuthenticationNot required

    No account or credential of any kind is required; the attacker interacts anonymously with the victim's browser.

  • Victim interactionRequired

    The victim must visit a crafted HTML page, making this a social-engineering vector where the attacker must lure or redirect the user.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special race conditions, memory-layout guessing, or other environmental prerequisites beyond the renderer compromise assumed in the description.

Blast Radius

  • Reads sensitive data accessible to the Chrome process outside the sandbox, including stored credentials, session tokens, and local files.
  • Writes or modifies data on the host filesystem and any resources the compromised process can reach.
  • Crashes or disrupts the affected Chrome instance and any associated services on the host.
  • Breaks out of the browser sandbox entirely, giving the attacker a foothold in the broader host environment with Chrome-level OS privileges.

How HarborGuard Handles This

Available on HarborGuard: for any image found to include Chrome below 150.0.7871.47, a rebuilt image pinned to the fix version (150.0.7871.47) is available immediately upon ingest. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments that require manual approval, the finding is queued at Critical priority with full layer-level evidence so reviewers can act without additional research. As a compensating control before patching, network policy rules that restrict outbound renderer process communication and limit exposure to untrusted HTML sources reduce the practical exploitability of the sandbox escape.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H