HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14037Published Modified CNA Chrome

CVE-2026-14037: Insufficient policy enforcement in GPU in Google Chrome prior to 150

Insufficient policy enforcement in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in Google Chrome's GPU process, affecting all versions prior to 150.0.7871.47. An attacker who has already compromised the Chrome renderer process can trigger this flaw by serving a crafted HTML page over the network, requiring no authentication but needing the victim to visit the page. Successful exploitation breaks out of Chrome's sandbox, giving the attacker code execution outside the browser's isolation boundary, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built images that bundle a Chromium or Chrome runtime.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) using the recorded vector and can weight that score further against each environment's compliance policy, then routes the alert to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at Chrome 150.0.7871.47 becomes available through HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote host.

  • AuthenticationNot required

    No credentials or account are needed; any unauthenticated remote attacker can attempt exploitation.

  • Victim interactionRequired

    The victim must navigate to or be directed to the attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout; however, a prior renderer compromise is a prerequisite.

Blast Radius

  • Attacker breaks out of the Chrome sandbox and gains code execution in the context of the host process, outside the browser's isolation boundary.
  • With high confidentiality impact, the attacker reads files, stored credentials, session tokens, and other user data accessible to the browser process on the host.
  • With high integrity impact, the attacker writes or modifies files and data on the host system beyond what the sandboxed renderer could reach.
  • With high availability impact, the attacker crashes or disrupts the host-level process, potentially destabilizing other running applications on the same system.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14037 is active across all customer environments and fires within minutes of a matching image being scanned in any registry or pipeline stage. Given the Critical CVSS score of 9.6, this CVE is prioritized for immediate triage routing under default compliance policies. A rebuild at Chrome 150.0.7871.47 is available for any image found to ship an affected Chrome or Chromium binary. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression run against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the priority queue with a direct link to the fix version so teams can act manually.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H