HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13861Published Modified CNA Chrome

CVE-2026-13861: Use after free in Core in Google Chrome prior to 150

Use after free in Core in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Core component of Google Chrome prior to version 150.0.7871.47 allows a remote attacker who has already compromised the renderer process to escape Chrome's sandbox by luring a victim to a crafted HTML page. The flaw is reachable over the network and requires no authentication, only that the victim visit or interact with attacker-controlled content. Successful exploitation gives the attacker full control outside the browser sandbox, enabling arbitrary code execution, data theft, and system tampering. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-13861 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Chrome or Chromium. Any image in a customer registry or active CI pipeline running a Chrome version below 150.0.7871.47 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Triage notifications are delivered to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any image found running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network; the victim's browser must be able to reach attacker-controlled content.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs to get the victim to load a crafted page.

  • Victim interactionRequired

    The victim must visit or interact with a crafted HTML page, making this a social-engineering or malicious-link scenario.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, though it does require a prior renderer compromise as a stepping stone.

Blast Radius

  • A successful attacker escapes Chrome's renderer sandbox and gains code execution in the context of the browser process or the underlying OS user account.
  • Confidential data accessible to that user account, including stored credentials, session cookies, and local files, is exposed to the attacker.
  • The attacker can write or modify files and system state on the host, enabling persistence, lateral movement, or payload installation.
  • The affected browser session and any services it holds open can be disrupted or hijacked entirely.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 150.0.7871.47 are matched against this CVE at ingest time, with findings surfaced immediately at CRITICAL severity. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, executes regression tests, and opens a pull request against affected workloads; for high and critical severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage remediation manually, the finding is routed to the configured owner inbox with fix-version details and a direct reference to the upstream Chrome release. Where compliance policy restricts automated changes, compensating controls such as network-policy rules that limit access to untrusted web origins, or feature-flag gating that disables the affected Chrome component, can be documented in HarborGuard as accepted mitigations until the patched image is promoted.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H