HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13869Published Modified CNA Chrome

CVE-2026-13869: Use after free in Device in Google Chrome on Windows prior to 150

Use after free in Device in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability affects the Device component of Google Chrome on Windows in versions prior to 150.0.7871.47. The flaw is reachable over the network without any account credentials, but requires a user to visit a crafted HTML page; it also requires that the attacker has already compromised the Chrome renderer process. Successful exploitation enables a full sandbox escape, giving the attacker the ability to read, write, and crash processes outside the browser sandbox. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-13869 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chromium or Chrome.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to determine priority routing, directing findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable or the user must browse to an attacker-controlled origin.

  • AuthenticationNot required

    No account credentials or prior authentication are needed; the attack is launched from an unauthenticated network position.

  • Victim interactionRequired

    The user must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory-layout conditions, though a prior renderer compromise is a prerequisite.

Blast Radius

  • A successful sandbox escape lets the attacker read files, credentials, and session data accessible to the Chrome process on the Windows host.
  • The attacker gains the ability to write or modify files and registry entries outside the browser sandbox.
  • The attacker can crash or terminate processes running under the compromised user account, disrupting the host.
  • With code execution outside the sandbox, the attacker can pivot to other processes or escalate privileges on the Windows system.

How HarborGuard Handles This

Available on HarborGuard: any image that bundles Google Chrome for Windows is scanned against CVE-2026-13869 immediately upon registry push or pipeline trigger, with results available within minutes of CVE publication. For environments where images include a pinned Chrome binary older than 150.0.7871.47, a rebuilt image at the fixed version is available for promotion. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes the configured regression-test suite, and opens a pull request against affected workloads; for Critical-severity issues, median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments that cannot immediately update, consider network-policy controls that restrict outbound browsing surfaces, and review renderer-process isolation settings as a compensating control while upgrade scheduling proceeds.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H