CVE-2026-13846: Use after free in USB in Google Chrome on Mac prior to 150
Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the USB handling code of Google Chrome on macOS affects all Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but does require a victim to load a crafted HTML page in a browser where the renderer process has already been compromised. Successful exploitation allows a remote attacker to escape Chrome's sandbox, giving them access to the host operating system beyond the browser's normal isolation boundary. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.
AvailableHarborGuard scores this finding at CVSS 9.6 (Critical) and is capable of weighting it further against each customer org's compliance policy before routing the alert to the appropriate team inbox.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the targeted host must be reachable through a browser session exposed to attacker-controlled web content.
- AuthenticationNot required
No account credentials or prior authentication are needed; any anonymous visitor to the malicious page is a viable target.
- Victim interactionRequired
The victim must load a crafted HTML page in the browser, requiring the attacker to social-engineer or redirect the user to attacker-controlled content.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors, though it does assume the renderer process is already compromised as a prerequisite.
Blast Radius
- A successful attacker escapes Chrome's sandbox and gains code execution in the context of the host macOS user account running the browser.
- Confidential data accessible to that user account, including files, keychain secrets, and session tokens stored on disk, becomes readable to the attacker.
- The attacker can write or modify files on the host filesystem within the permissions of the compromised user, enabling persistence mechanisms or data tampering.
- The attacker can crash or disrupt the browser process and any dependent services running under the same user context.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13846 is active across all connected registries and pipelines, matching any image that packages a vulnerable Chrome release on a macOS base layer. For environments where a match is found, a rebuilt image at Chrome 150.0.7871.47 is available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test pass against the patched image, and opens a pull request against affected workloads; for high and critical-severity findings, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before remediation, the finding is routed to the designated team inbox with full CVSS context and policy weighting attached.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H