HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-13920Published Modified CNA Chrome

CVE-2026-13920: Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150

Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in the Media component of Google Chrome on Windows, affecting all versions prior to 150.0.7871.47. An attacker who has already compromised Chrome's renderer process can exploit insufficient input validation by delivering a crafted HTML page to the victim, breaking out of the browser's sandbox and gaining access to the underlying Windows host. Successful exploitation grants the attacker full confidentiality, integrity, and availability impact on the host system. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-13920 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle a Chromium or Chrome binary, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.6 (Critical) and weighting it against each environment's compliance policy to determine breach thresholds. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a PR against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network, delivering a crafted HTML page to a browser running on an exposed or reachable Windows host.

  • AuthenticationNot required

    No authentication is required; the attack can be launched by any unauthenticated remote party who can get the crafted page in front of the victim.

  • Victim interactionRequired

    The victim must open or be directed to the attacker-controlled HTML page, requiring a social-engineering step such as a phishing link or malicious redirect.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and places no special environmental conditions or timing constraints on the attacker beyond the pre-compromised renderer prerequisite.

Blast Radius

  • An attacker who succeeds reads arbitrary files, credentials, and secrets stored on the Windows host outside the browser sandbox.
  • The attacker writes to or modifies files and system state on the host, enabling persistence mechanisms or lateral movement artifacts.
  • The attacker can crash or disrupt the host operating system or any running services, causing a denial of service beyond the browser process.
  • Because the scope is changed (S:C in the CVSS vector), impact extends beyond the browser itself to other processes and resources on the same Windows machine.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-13920 is active across all connected registries and pipelines, matching any image that packages a Chrome or Chromium binary below version 150.0.7871.47. Where a customer image is flagged, a rebuilt image at the fixed version (150.0.7871.47) is available for promotion. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a PR against the affected workload automatically, with a median time to merged patch PR of roughly 90 minutes for critical-severity issues. Where compliance policy does not permit auto-remediation, the flagged image and fix version appear in the vulnerability report for manual action. Customers running Chrome in container workloads on Windows hosts should treat this as a high-priority update given the sandbox-escape impact and the absence of any authentication barrier beyond the renderer pre-compromise condition.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H