HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13880Published Modified CNA Chrome

CVE-2026-13880: Use after free in USB in Google Chrome on Mac prior to 150

Use after free in USB in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the USB component of Google Chrome on macOS affects all Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but does require a victim to visit a crafted HTML page; exploitation also requires the attacker to have already compromised the Chrome renderer process. Successful exploitation enables a sandbox escape, giving the attacker code execution outside the Chrome sandbox with access to system resources. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome on macOS base layers.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and can weight that score against each environment's compliance policy to determine urgency; alerts are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard the moment the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable by or capable of connecting to attacker-controlled web content.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs to get the victim to load a crafted page.

  • Victim interactionRequired

    The victim must visit a crafted HTML page, making this a social-engineering vector requiring at least one user action such as clicking a link or navigating to a malicious site.

  • Attack complexityDetail

    Attack complexity is rated Low, meaning the exploit is reliable and reproducible without depending on race conditions or specific environmental layout, though it does require a pre-compromised renderer process as a prerequisite.

Blast Radius

  • A successful attacker escapes the Chrome sandbox on macOS, gaining code execution in the context of the browser process rather than the restricted renderer.
  • With sandbox escape achieved, the attacker reads files and credentials accessible to the logged-in user, including keychain items, cookies, and stored passwords.
  • The attacker writes or modifies files on the host filesystem within the user's permissions, enabling persistence mechanisms or tampering with local application data.
  • The attacker can crash or destabilize the host Chrome process and any dependent services, causing a denial of service for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13880 is active across all customer environments that include Chrome on macOS-based container images, with matching triggered within minutes of CVE publication. For environments running a Chrome version below 150.0.7871.47, a rebuilt image at the patched version is available through HarborGuard's image rebuild pipeline. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression test run against the updated image, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, HarborGuard surfaces the finding with full CVSS context and a direct link to the fix version to accelerate reviewer triage.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H