CVE-2026-13934: Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150
Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an input-validation flaw in Dawn, the WebGPU implementation inside Google Chrome on Android, affecting versions prior to 150.0.7871.47. The vulnerability is reachable over the network with no authentication required, but requires a victim to visit a crafted HTML page and assumes the attacker has already compromised the renderer process. Successful exploitation enables a full sandbox escape, giving the attacker code execution outside the Chrome sandbox with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built Android-based container images that bundle a Chrome or Chromium runtime. Matching runs continuously against images in customer registries and CI/CD pipelines, not only at initial scan time.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL using the supplied CVSS v3.1 vector and weights findings against each environment's compliance policy, escalating findings accordingly. Triage alerts are routed to the inbox configured for each customer organization, so the right team sees the finding without manual sorting.
AvailableA patched-image rebuild at Chrome version 150.0.7871.47 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the affected service must be reachable from an internet or network-adjacent origin.
- AuthenticationNot required
No account or credential is needed; any unauthenticated user browsing to the attacker-controlled page is a viable target.
- Victim interactionRequired
The victim must open a crafted HTML page in Chrome on Android, making this a social-engineering vector that requires luring the user to attacker-controlled content.
- Attack complexityDetail
The base exploit is condition-free and reliable once the renderer process has been compromised, though chaining a renderer compromise first adds practical complexity outside the scope of this CVE's CVSS score.
Blast Radius
- Attacker breaks out of the Chrome sandbox and executes arbitrary code in the context of the hosting Android process, outside the browser's normal containment.
- With sandbox escape, the attacker reads files, credentials, and session data accessible to the Chrome process on the device.
- The attacker can write or modify data stored by Chrome, including cookies, cached credentials, and locally persisted application state.
- The attacker can crash or destabilize the Chrome process and any dependent services, causing denial of service on the affected device.
How HarborGuard Handles This
Available on HarborGuard: any container image that packages Google Chrome for Android at a version below 150.0.7871.47 is flagged as soon as the image is scanned or on the next scheduled ingest cycle. For customers who opt into auto-remediation, HarborGuard queues a rebuild pinned to 150.0.7871.47, runs the configured regression suite against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is surfaced in the triage queue with the fix version populated so engineers can act on it directly. Until a rebuild is confirmed deployed, network-policy controls that restrict which origins Chrome-based workloads can load content from serve as a compensating control to limit delivery of a crafted HTML page to potential victims.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H