HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13878Published Modified CNA Chrome

CVE-2026-13878: Use after free in Bluetooth in Google Chrome on Mac prior to 150

Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Bluetooth component of Google Chrome on macOS affects all Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but does require a victim to visit a crafted HTML page; exploitation also requires the attacker to have already compromised Chrome's renderer process. Successful exploitation allows a sandbox escape, giving the attacker code execution outside the Chrome sandbox with access to confidential data, the ability to tamper with the system, and the ability to disrupt services. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-13878 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and makes that score available alongside per-environment compliance policy weighting, routing findings to the appropriate team inbox within each customer organization based on configured severity thresholds and asset ownership rules.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled origin.

  • AuthenticationNot required

    No credentials or account are needed; the attack is launched from an unauthenticated network position.

  • Victim interactionRequired

    The victim must navigate to or be redirected to a crafted HTML page, making social engineering or a malicious link a prerequisite.

  • Attack complexityDetail

    While the CVSS base complexity is Low (the exploit itself is reliable and condition-free once delivered), a real-world prerequisite exists: the attacker must have already compromised the Chrome renderer process before this flaw enables a sandbox escape.

Blast Radius

  • Reads sensitive data from outside the Chrome sandbox, including files, credentials, and tokens accessible to the macOS user account running Chrome.
  • Modifies files and system state outside the sandbox, allowing persistent changes or installation of additional malicious software.
  • Crashes or disrupts services on the host beyond what Chrome's sandbox would normally permit.
  • Combines confidentiality, integrity, and availability impact at high severity, meaning full control of the affected macOS user context is achievable.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-13878 is active for any image that packages Google Chrome below version 150.0.7871.47 on a macOS base layer. Where compliance policy permits, a rebuild against the fixed version (150.0.7871.47) is queued automatically upon CVE publication. For customers who opt into auto-remediation, the typical flow includes a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high and critical severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 9.6 (Critical) scoring and routes it to the configured owner inbox so teams can act manually. Given that exploitation requires a compromised renderer process as a prerequisite, teams should also consider network-policy controls that restrict egress from container workloads running Chrome-based tooling, reducing attacker opportunity to stage the renderer compromise that this flaw depends on.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H