CVE-2026-13853: Use after free in Journeys in Google Chrome prior to 150
Use after free in Journeys in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in the Journeys feature of Google Chrome prior to version 150.0.7871.47 allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires the victim to visit a malicious page, but no authentication is needed. Successful exploitation gives the attacker full control outside the sandbox, enabling arbitrary code execution, data theft, and system compromise. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium binary.
AvailableHarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine breach-of-threshold status; the finding is then routed to the appropriate team inbox within the customer organization for immediate review.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads automatically; for Critical-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
- AuthenticationNot required
No account or credentials are required; any unauthenticated remote attacker can attempt exploitation.
- Victim interactionRequired
The victim must visit the attacker-controlled HTML page, making social engineering or a malicious link the primary delivery vector.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors beyond having a compromised renderer process.
Blast Radius
- The attacker escapes the Chrome browser sandbox and gains code execution in the context of the host process.
- Confidential data accessible to the browser or host user account, including stored credentials, cookies, and local files, is readable by the attacker.
- The attacker can write or modify files and system state on the host, enabling persistence mechanisms or further lateral movement.
- The affected Chrome process and dependent services can be crashed or made unavailable.
How HarborGuard Handles This
Available on HarborGuard: detection runs continuously against customer image registries and pipelines, flagging any image that ships Chrome or Chromium below version 150.0.7871.47. A patched rebuild at the fixed version is queued automatically upon detection. For customers who have opted into auto-remediation, HarborGuard rebuilds the affected image, executes the configured regression-test suite, and opens a pull request against affected workloads; for Critical-severity findings, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, the PR is staged and waiting with full context attached. Customers who have not enabled auto-remediation receive an immediate alert with the affected image digest, the fix version, and a direct link to rebuild on demand.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H