HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13901Published Modified CNA Chrome

CVE-2026-13901: Insufficient policy enforcement in Serial in Google Chrome prior to 150

Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's Serial API, affecting all versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but a victim must visit a crafted HTML page, and the attacker must have already compromised the renderer process. Successful exploitation lets an attacker break out of Chrome's sandbox, gaining the ability to read, modify, or destroy data and processes beyond the browser's normal isolation boundary. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-13901 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed publication. This matching covers custom-built images that bundle Chrome or Chromium, not just official base images.

Available
Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each customer organization's compliance policy before routing the finding to the appropriate team inbox.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by luring the victim to a crafted HTML page, so the Chrome instance must be reachable via a browser session.

  • AuthenticationNot required

    No account credentials or session tokens are required; the attack is launched from an unauthenticated web page.

  • Victim interactionRequired

    The victim must open a crafted HTML page, making this a social-engineering-dependent attack that requires at least one user action.

  • Attack complexityDetail

    Attack complexity is rated Low, meaning the exploit is reliable and does not depend on race conditions or special environmental layout, though a prior renderer compromise is a prerequisite.

Blast Radius

  • An attacker who escapes the sandbox can read files and process memory outside the browser's isolation boundary, including stored credentials and session data.
  • The attacker gains the ability to write or modify files and data accessible to the browser process user on the host.
  • The attacker can crash or terminate the affected service or broader host processes, causing a denial of service.
  • Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser to other components or containers sharing the host environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-13901 activates the moment the advisory is ingested, matching any image that bundles an affected Chrome or Chromium version against the fix boundary of 150.0.7871.47. A rebuild at the patched version is available for affected images. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS 9.6 Critical score and full vector detail attached. Customers not yet able to upgrade should consider restricting access to internal Chrome-based tooling via network policy isolation and evaluating whether the Web Serial API can be disabled via enterprise policy as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H