CVE-2026-13843: Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150
Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an insufficient input validation vulnerability in Google Chrome for iOS, affecting all versions prior to 150.0.7871.47. A remote attacker who has already compromised the Chrome renderer process can exploit this flaw over the network by luring a victim to a crafted HTML page, with no authentication required. Successful exploitation enables a sandbox escape, granting the attacker capabilities beyond the renderer's restricted environment, including full access to confidential data, the ability to tamper with data, and disruption of service. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-13843 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, covering both third-party and custom-built images in customer registries and CI/CD pipelines.
AvailableHarborGuard is capable of scoring this CVE at its full CVSS v3.1 rating of 9.6 (Critical) and weighting it against each customer organization's compliance policy to route actionable alerts to the appropriate team inbox.
AvailableA patched-image rebuild pinned to Chrome for iOS version 150.0.7871.47 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network, as the exploit is delivered via a remote crafted HTML page.
- AuthenticationNot required
No authentication or account credentials are needed; the attacker operates entirely as an unauthenticated remote party.
- Victim interactionRequired
The victim must navigate to or be redirected to a crafted HTML page, requiring at least minimal social engineering.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond a prior renderer compromise.
Blast Radius
- A successful sandbox escape lets the attacker read arbitrary data stored in or accessible to the Chrome process on the device, including session tokens, cookies, and cached credentials.
- The attacker gains the ability to write or modify data outside the renderer sandbox, including files and application state the compromised process would not normally touch.
- The attacker can crash or destabilize the browser and any dependent services on the affected iOS device, causing denial of service.
- Because the CVSS scope is changed (S:C), impact extends beyond the Chrome sandbox itself to other components on the host system.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13843 is active across all connected registries and pipelines, matched against any image shipping a vulnerable version of Chrome for iOS below 150.0.7871.47. A patched-image rebuild at the fixed version is available immediately. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, triage findings are routed to the designated team inbox with full CVSS context and policy weighting attached.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H