HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13859Published Modified CNA Chrome

CVE-2026-13859: Inappropriate implementation in ANGLE in Google Chrome prior to 150

Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An inappropriate implementation flaw in the ANGLE graphics layer of Google Chrome before version 150.0.7871.47 allows a remote attacker to trigger a sandbox escape. The vulnerability is reachable over the network without authentication, but requires the victim to visit a crafted HTML page. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the browser sandbox, effectively enabling code execution in the context of the host process. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of publication, including custom-built images that bundle Google Chrome. Ingestion from upstream feeds (NVD, Chrome security advisories, and CNA disclosures) runs continuously so newly published CVEs are matched without manual intervention.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for any image found to carry an affected Chrome version. For customers with auto-remediation enabled, HarborGuard runs a regression test against the rebuilt image and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable in a browsing context exposed to attacker-controlled content.

  • AuthenticationNot required

    No authentication or account credentials are needed; the attacker only needs to get the victim to load a crafted page.

  • Victim interactionRequired

    The victim must visit a crafted HTML page, making this a social-engineering vector that requires at least one user action such as clicking a link or being redirected.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

  • A successful sandbox escape lets the attacker execute code outside the Chrome renderer sandbox, in the context of the browser process on the host.
  • The attacker reads any data accessible to the browser process, including stored credentials, session tokens, and local profile data.
  • The attacker can write or modify files and persistent data accessible to the browser process on the host system.
  • The attacker can crash or destabilize the browser process and any dependent services, causing denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13859 is active across all connected registries and CI pipelines, matching any image that packages Google Chrome below 150.0.7871.47. Because this is rated Critical (CVSS 9.6), it is prioritized at the top of the triage queue and routed immediately to the responsible team based on each environment's policy. A patched-image rebuild pinned to Chrome 150.0.7871.47 is available for affected images. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the rebuild and test results are staged and waiting for approval without any additional setup needed.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H