HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14017Published Modified CNA Chrome

CVE-2026-14017: Inappropriate implementation in Navigation in Google Chrome prior to 150

Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's navigation implementation affecting versions prior to 150.0.7871.47. A remote attacker who has already compromised the Chrome renderer process can exploit this flaw by luring a victim to a crafted HTML page, breaking out of the browser sandbox to gain access to the underlying host system. Successful exploitation enables full confidentiality loss, data tampering, and service disruption on the affected host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-14017 is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. Any image carrying a vulnerable Chrome version below 150.0.7871.47 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical) and weights it against each customer environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available in HarborGuard the moment the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers an automated rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target must be reachable via a browser session to an attacker-controlled or compromised site.

  • AuthenticationNot required

    No account or credentials are needed; any user who visits the malicious page is a valid target.

  • Victim interactionRequired

    The victim must open a crafted HTML page, making this a social-engineering vector where the attacker must induce a user to visit or load the malicious content.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, though a prior renderer compromise is a prerequisite.

Blast Radius

  • An attacker who succeeds reads files, credentials, and session data accessible to the browser process on the host.
  • Sandbox escape allows writing or modifying files on the host filesystem outside the browser's sandboxed storage.
  • The attacker gains code execution outside the browser sandbox, enabling persistence mechanisms or lateral movement on the host.
  • The exploit can crash or destabilize host-level processes, disrupting service availability beyond just the browser tab.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-14017 is matched against every scanned image the moment it enters the feed, with Critical-severity classification (CVSS 9.6) triggering high-priority routing in compliant environments. A rebuilt image at Chrome 150.0.7871.47 is made available as soon as the upstream package is confirmed. For customers with auto-remediation enabled, HarborGuard initiates the rebuild, executes a regression test run, and opens a pull request against each affected workload; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation active. Where compliance policy does not permit auto-remediation, the finding appears in the dashboard with remediation guidance pointing to the 150.0.7871.47 upgrade path. Until patched images are deployed, network-policy controls that restrict outbound browser access to untrusted origins serve as a compensating control for container workloads embedding Chrome.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H