HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13846Published Modified CNA Chrome

CVE-2026-13846: Use after free in USB in Google Chrome on Mac prior to 150

Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the USB handling code of Google Chrome on macOS affects all Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but does require a victim to load a crafted HTML page in a browser where the renderer process has already been compromised. Successful exploitation allows a remote attacker to escape Chrome's sandbox, giving them access to the host operating system beyond the browser's normal isolation boundary. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and is capable of weighting it further against each customer org's compliance policy before routing the alert to the appropriate team inbox.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the targeted host must be reachable through a browser session exposed to attacker-controlled web content.

  • AuthenticationNot required

    No account credentials or prior authentication are needed; any anonymous visitor to the malicious page is a viable target.

  • Victim interactionRequired

    The victim must load a crafted HTML page in the browser, requiring the attacker to social-engineer or redirect the user to attacker-controlled content.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors, though it does assume the renderer process is already compromised as a prerequisite.

Blast Radius

  • A successful attacker escapes Chrome's sandbox and gains code execution in the context of the host macOS user account running the browser.
  • Confidential data accessible to that user account, including files, keychain secrets, and session tokens stored on disk, becomes readable to the attacker.
  • The attacker can write or modify files on the host filesystem within the permissions of the compromised user, enabling persistence mechanisms or data tampering.
  • The attacker can crash or disrupt the browser process and any dependent services running under the same user context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13846 is active across all connected registries and pipelines, matching any image that packages a vulnerable Chrome release on a macOS base layer. For environments where a match is found, a rebuilt image at Chrome 150.0.7871.47 is available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test pass against the patched image, and opens a pull request against affected workloads; for high and critical-severity findings, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before remediation, the finding is routed to the designated team inbox with full CVSS context and policy weighting attached.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H