HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13854Published Modified CNA Chrome

CVE-2026-13854: Use after free in Ozone in Google Chrome on Linux prior to 150

Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Ozone display subsystem of Google Chrome on Linux, affecting all versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, though a victim must visit a crafted HTML page; an attacker who has already compromised the renderer process can trigger the bug to escape the Chrome sandbox. Successful exploitation grants the attacker full read, write, and execution capabilities outside the sandbox, effectively giving them a foothold on the underlying host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-13854 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Linux images that bundle a Chromium or Chrome binary. Any image layer containing a Chrome version below 150.0.7871.47 on Linux is flagged automatically.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.6 (CRITICAL), surfaced alongside per-environment compliance policy weighting so that teams with stricter sandbox-escape policies receive elevated priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by luring the victim to a crafted HTML page, so the Chrome instance must be reachable through normal browser browsing activity.

  • AuthenticationNot required

    No credentials or account are needed; any unauthenticated remote attacker can attempt the exploit once the victim visits the malicious page.

  • Victim interactionRequired

    The victim must open a crafted HTML page, meaning the attacker must socially engineer a user into visiting an attacker-controlled or compromised site.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions or race-condition requirements beyond the renderer compromise precondition noted in the advisory.

Blast Radius

  • An attacker who triggers the bug escapes the Chrome sandbox, breaking the primary isolation boundary between browser content and the host operating system.
  • With sandbox escape achieved, the attacker reads files and data accessible to the Chrome process user, including session tokens, cookies, and credentials stored on disk.
  • The attacker can write to the filesystem or inject code into other processes running under the same user account, modifying persisted application data.
  • The attacker can crash or disrupt the Chrome process and any co-located services, causing denial of service on the affected host.

How HarborGuard Handles This

Available on HarborGuard: images containing Chrome on Linux are scanned against CVE-2026-13854 within minutes of the advisory being ingested, with findings scored at CVSS 9.6 CRITICAL. A patched rebuild at version 150.0.7871.47 is made available as soon as the affected image is identified. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy does not permit automatic remediation, the finding is routed to the responsible team with full CVSS context and remediation guidance so the upgrade can be applied manually.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H