HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13909Published Modified CNA Chrome

CVE-2026-13909: Insufficient policy enforcement in DevTools in Google Chrome prior to 150

Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insufficient policy enforcement vulnerability in Google Chrome's DevTools component affecting versions prior to 150.0.7871.47. The vulnerability is reachable over the network and requires no authentication, but does require a victim to interact with a crafted HTML page; additionally, the attacker must have already compromised the Chrome renderer process. Successful exploitation enables a full sandbox escape, giving the attacker read access to sensitive data, the ability to modify files or browser state, and the ability to disrupt the affected process, all at high impact across confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-13909 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium installation. Coverage applies to both registry scans and pipeline-integrated builds.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine priority routing. Triage findings are delivered to the inbox configured for the affected workload owner within each customer organization.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled network resource.

  • AuthenticationNot required

    No account or credential is needed; the attack is launched by getting the victim to load a crafted page from an unauthenticated remote location.

  • Victim interactionRequired

    The victim must navigate to or be socially engineered into opening a crafted HTML page, giving the attacker the opportunity to trigger the policy enforcement flaw.

  • Attack complexityDetail

    Exploit reliability is high once the renderer process is compromised; no race conditions or specific memory layout requirements are imposed by the vulnerability itself, though the prerequisite renderer compromise adds situational complexity.

Blast Radius

  • A successful sandbox escape lets the attacker read files and data outside the Chrome sandbox, including stored credentials, session tokens, and local user files.
  • The attacker gains the ability to write or modify files and browser state on the host, enabling persistence or data tampering.
  • The attacker can crash or disrupt the Chrome process and any dependent browser sessions, causing a denial of service for the affected user.
  • Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser sandbox to resources controlled by the underlying operating system.

How HarborGuard Handles This

Available on HarborGuard: any image containing Google Chrome below version 150.0.7871.47 is flagged as soon as the CVE is ingested, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at Chrome 150.0.7871.47, executes a regression run, and opens a PR against the affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with a severity of Critical and full CVSS detail, so the responsible team can act manually. Given the sandbox-escape impact and the prerequisite of renderer compromise, teams that cannot patch immediately should consider network-policy controls that restrict outbound connections from Chrome-based workloads and evaluate whether DevTools access can be disabled via enterprise policy as a compensating control.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H