CVE-2026-13882: Race in USB in Google Chrome prior to 150
Race in USB in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free race condition in the USB handling code of Google Chrome prior to version 150.0.7871.47 can be reached by a remote attacker who has already compromised the Chrome renderer process. The attacker delivers a crafted HTML page over the network, requiring the victim to visit it, and no authentication is needed. Successful exploitation breaks out of the Chrome sandbox, giving the attacker code execution on the underlying host with full confidentiality, integrity, and availability impact. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection for CVE-2026-13882 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle Google Chrome. Ingestion from upstream feeds (NVD, Chrome advisory, and supplementary sources) runs continuously so newly published records are reflected without manual intervention.
AvailableHarborGuard is capable of scoring this CVE at 9.6 CRITICAL using the CVSS v3.1 vector and weighting that score against each environment's compliance policy to determine urgency and escalation path. Triage routing to the appropriate team inbox within each customer organization is handled automatically based on image ownership and policy configuration.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads without requiring manual steps.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network by serving a crafted HTML page from a remote origin.
- AuthenticationNot required
No credentials or account are needed; the attack is initiated purely by the victim loading a page.
- Victim interactionRequired
The victim must visit the attacker-controlled HTML page, making this a social-engineering or malvertising delivery scenario.
- Attack complexityDetail
The exploit is described as a race condition, meaning it depends on a timing window in the USB handling code, but the CVSS AC:L rating indicates the race is reliably winnable without special environmental conditions.
Blast Radius
- The attacker escapes the Chrome renderer sandbox and gains code execution in the context of the host process, breaking the primary isolation boundary Chrome relies on.
- With a sandbox escape achieved, the attacker can read arbitrary files and data accessible to the host user, including stored credentials, session tokens, and local documents.
- The attacker can write to or modify files, persistent storage, and system configuration accessible to the compromised user account.
- The attacker can crash, hang, or otherwise disrupt the Chrome process and any dependent services, or use the foothold to destabilize the broader host.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-13882 is active across all connected registries and pipelines, matched against any image that bundles Google Chrome below 150.0.7871.47. Given the CRITICAL severity (9.6) and the sandbox-escape impact, this CVE is prioritized at the top of the triage queue under standard policy. A patched rebuild at Chrome 150.0.7871.47 is available for affected images. For customers who opt into auto-remediation, HarborGuard can complete a rebuild, run regression tests, and open a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the pull request is held pending reviewer sign-off.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H