CVE-2026-13883: Type Confusion in ANGLE in Google Chrome prior to 150
Type Confusion in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A type confusion vulnerability in ANGLE, the graphics translation layer inside Google Chrome, allows a remote attacker to escape the browser sandbox via a crafted HTML page. The attack is reachable over the network and requires no authentication, though the victim must visit a malicious page. Successful exploitation gives the attacker code execution outside the browser sandbox, with full access to confidential data, the ability to modify system state, and the ability to crash or destabilize the affected host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13883 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard scores this CVE at CVSS 9.6 (Critical) and is capable of weighting findings against each environment's compliance policy to determine urgency and route alerts to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the service (the victim's browser session) must be reachable from the internet.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote party can serve the malicious page.
- Victim interactionRequired
The victim must navigate to or load a crafted HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout tricks, or other environmental prerequisites.
Blast Radius
- Reads sensitive data from outside the browser sandbox, including files, credentials, and session material accessible to the browser process user.
- Modifies files and system state outside the browser sandbox, enabling persistent changes or secondary payload installation.
- Crashes or destabilizes the affected host process, causing service disruption beyond the browser tab.
- Because the scope is Changed in the CVSS vector, impact extends to components outside the vulnerable browser process itself.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome versions below 150.0.7871.47 are flagged automatically as vulnerable upon ingestion, with no manual scan trigger required. Where compliance policy permits, a rebuilt image at 150.0.7871.47 becomes available immediately, and customers with auto-remediation enabled receive a full rebuild, a regression-test run, and a pull request opened against affected workloads. For Critical-severity issues like this one, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with full CVSS detail and fix-version guidance so teams can prioritize manual remediation. Given the sandbox-escape severity and the Changed scope rating, teams should treat this as high priority regardless of whether the affected images run in user-facing or internal contexts.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H