CVE-2026-14037: Insufficient policy enforcement in GPU in Google Chrome prior to 150
Insufficient policy enforcement in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a sandbox escape vulnerability in Google Chrome's GPU process, affecting all versions prior to 150.0.7871.47. An attacker who has already compromised the Chrome renderer process can trigger this flaw by serving a crafted HTML page over the network, requiring no authentication but needing the victim to visit the page. Successful exploitation breaks out of Chrome's sandbox, giving the attacker code execution outside the browser's isolation boundary, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome runtime.
AvailableHarborGuard scores this finding at CVSS 9.6 (Critical) using the recorded vector and can weight that score further against each environment's compliance policy, then routes the alert to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote host.
- AuthenticationNot required
No credentials or account are needed; any unauthenticated remote attacker can attempt exploitation.
- Victim interactionRequired
The victim must navigate to or be directed to the attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout; however, a prior renderer compromise is a prerequisite.
Blast Radius
- Attacker breaks out of the Chrome sandbox and gains code execution in the context of the host process, outside the browser's isolation boundary.
- With high confidentiality impact, the attacker reads files, stored credentials, session tokens, and other user data accessible to the browser process on the host.
- With high integrity impact, the attacker writes or modifies files and data on the host system beyond what the sandboxed renderer could reach.
- With high availability impact, the attacker crashes or disrupts the host-level process, potentially destabilizing other running applications on the same system.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-14037 is active across all customer environments and fires within minutes of a matching image being scanned in any registry or pipeline stage. Given the Critical CVSS score of 9.6, this CVE is prioritized for immediate triage routing under default compliance policies. A rebuild at Chrome 150.0.7871.47 is available for any image found to ship an affected Chrome or Chromium binary. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression run against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the priority queue with a direct link to the fix version so teams can act manually.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H