CVE-2026-13909: Insufficient policy enforcement in DevTools in Google Chrome prior to 150
Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an insufficient policy enforcement vulnerability in Google Chrome's DevTools component affecting versions prior to 150.0.7871.47. The vulnerability is reachable over the network and requires no authentication, but does require a victim to interact with a crafted HTML page; additionally, the attacker must have already compromised the Chrome renderer process. Successful exploitation enables a full sandbox escape, giving the attacker read access to sensitive data, the ability to modify files or browser state, and the ability to disrupt the affected process, all at high impact across confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-13909 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium installation. Coverage applies to both registry scans and pipeline-integrated builds.
AvailableHarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine priority routing. Triage findings are delivered to the inbox configured for the affected workload owner within each customer organization.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled network resource.
- AuthenticationNot required
No account or credential is needed; the attack is launched by getting the victim to load a crafted page from an unauthenticated remote location.
- Victim interactionRequired
The victim must navigate to or be socially engineered into opening a crafted HTML page, giving the attacker the opportunity to trigger the policy enforcement flaw.
- Attack complexityDetail
Exploit reliability is high once the renderer process is compromised; no race conditions or specific memory layout requirements are imposed by the vulnerability itself, though the prerequisite renderer compromise adds situational complexity.
Blast Radius
- A successful sandbox escape lets the attacker read files and data outside the Chrome sandbox, including stored credentials, session tokens, and local user files.
- The attacker gains the ability to write or modify files and browser state on the host, enabling persistence or data tampering.
- The attacker can crash or disrupt the Chrome process and any dependent browser sessions, causing a denial of service for the affected user.
- Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser sandbox to resources controlled by the underlying operating system.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome below version 150.0.7871.47 is flagged as soon as the CVE is ingested, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at Chrome 150.0.7871.47, executes a regression run, and opens a PR against the affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with a severity of Critical and full CVSS detail, so the responsible team can act manually. Given the sandbox-escape impact and the prerequisite of renderer compromise, teams that cannot patch immediately should consider network-policy controls that restrict outbound connections from Chrome-based workloads and evaluate whether DevTools access can be disabled via enterprise policy as a compensating control.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H