CVE-2026-13869: Use after free in Device in Google Chrome on Windows prior to 150
Use after free in Device in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability affects the Device component of Google Chrome on Windows in versions prior to 150.0.7871.47. The flaw is reachable over the network without any account credentials, but requires a user to visit a crafted HTML page; it also requires that the attacker has already compromised the Chrome renderer process. Successful exploitation enables a full sandbox escape, giving the attacker the ability to read, write, and crash processes outside the browser sandbox. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection for CVE-2026-13869 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chromium or Chrome.
AvailableHarborGuard scores this CVE at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to determine priority routing, directing findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled origin.
- AuthenticationNot required
No account credentials or prior authentication are needed; the attack is launched from an unauthenticated network position.
- Victim interactionRequired
The user must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory-layout conditions, though a prior renderer compromise is a prerequisite.
Blast Radius
- A successful sandbox escape lets the attacker read files, credentials, and session data accessible to the Chrome process on the Windows host.
- The attacker gains the ability to write or modify files and registry entries outside the browser sandbox.
- The attacker can crash or terminate processes running under the compromised user account, disrupting the host.
- With code execution outside the sandbox, the attacker can pivot to other processes or escalate privileges on the Windows system.
How HarborGuard Handles This
Available on HarborGuard: any image that bundles Google Chrome for Windows is scanned against CVE-2026-13869 immediately upon registry push or pipeline trigger, with results available within minutes of CVE publication. For environments where images include a pinned Chrome binary older than 150.0.7871.47, a rebuilt image at the fixed version is available for promotion. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes the configured regression-test suite, and opens a pull request against affected workloads; for Critical-severity issues, median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments that cannot immediately update, consider network-policy controls that restrict outbound browsing surfaces, and review renderer-process isolation settings as a compensating control while upgrade scheduling proceeds.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H