CVE-2026-13798: Heap buffer overflow in Chromecast in Google Chrome prior to 150
Heap buffer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A heap buffer overflow vulnerability exists in the Chromecast component of Google Chrome prior to version 150.0.7871.47. The flaw is reachable over the network and requires no prior authentication, though a victim must interact with a crafted HTML page, and the attacker must already have compromised the Chrome renderer process. Successful exploitation enables a sandbox escape, giving the attacker full read, write, and denial-of-service capability on the underlying system. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-13798 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. No manual configuration is required to trigger a match against affected versions below 150.0.7871.47.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical) and weights it against each environment's configured compliance policy, escalating findings that breach policy thresholds automatically. Routed alerts reach the correct team inbox based on per-organization routing rules, so the right engineers see it without manual triage.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard once the fix version is confirmed against the affected image layers. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted Chrome instance must be reachable or the victim must browse to an attacker-controlled resource across the internet.
- AuthenticationNot required
No account credentials or session tokens are needed; any unauthenticated remote attacker can serve the malicious page.
- Victim interactionRequired
The victim must open or be directed to a crafted HTML page, making this a social-engineering or drive-by scenario where user action triggers the overflow.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and imposes no special race-condition or memory-layout preconditions beyond the attacker already controlling the renderer process.
Blast Radius
- A successful sandbox escape lets the attacker execute arbitrary code outside the Chrome sandbox with the privileges of the browser process.
- The attacker gains full read access to files, credentials, and session data accessible by the browser process on the host.
- The attacker can write or modify data on the host filesystem within the browser process scope, including cached credentials and stored profiles.
- The attacker can crash or destabilize the browser process, causing a denial of service for the affected user session.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome below 150.0.7871.47 are flagged as Critical the moment the CVE enters HarborGuard's feed. A patched rebuild targeting version 150.0.7871.47 is made available for any affected image layer configuration detected in a customer registry or pipeline. Where compliance policy permits and auto-remediation is enabled, HarborGuard rebuilds the image, runs the configured regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues in auto-remediation environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding is surfaced with full CVSS context and fix-version detail so engineers can act manually. Given the renderer-process precondition on this exploit, teams that cannot immediately patch may also consider restricting Chromecast feature access via Chrome policy flags as a short-term compensating control while the rebuild is prepared.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H