HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14038Published Modified CNA Chrome

CVE-2026-14038: Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 150

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insufficient input validation vulnerability in the New Tab Page component of Google Chrome versions prior to 150.0.7871.47. It is reachable over the network and requires no authentication, but does require the victim to interact with a crafted HTML page; additionally, the attacker must have already compromised the renderer process before exploiting this flaw. Successful exploitation enables a sandbox escape, granting the attacker elevated access beyond the browser sandbox and allowing them to read sensitive data and tamper with files or system state on the host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-14038 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Chrome or Chromium. The capability covers both registry scans and inline pipeline checks at build time.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.3 (Critical) and weighting it against each environment's configured compliance policy to determine escalation priority. Triage routing is available to deliver findings to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available on HarborGuard once the upstream fix is confirmed for an affected image. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled remote origin.

  • AuthenticationNot required

    No account credentials or prior authentication are needed; the attack is initiated by getting the victim to visit a crafted page.

  • Victim interactionRequired

    The victim must open a crafted HTML page, making social engineering or malicious ad/link delivery a necessary part of the attack chain.

  • Attack complexityDetail

    The base exploit is considered low complexity once conditions are met, though a prerequisite renderer-process compromise must already be in place before this vulnerability can be leveraged for sandbox escape.

Blast Radius

  • Reads sensitive data accessible to the browser process outside the sandbox, including stored credentials, cookies, and local files the browser user can access.
  • Modifies files or system state on the host by breaking out of the Chrome sandbox and operating with the privileges of the browser's OS-level user account.
  • The availability impact is rated None in the CVSS vector, so crash or denial-of-service of the host system is not a direct consequence of this specific vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14038 is active across all scanning environments, matching any image that bundles a Chrome or Chromium binary older than 150.0.7871.47. Given the Critical CVSS score of 9.3, this CVE is prioritized at the top of triage queues under standard HarborGuard severity policy. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the patched version, execute a regression test run, and open a pull request against the affected workload repositories. The median time from CVE publication to a merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS detail, affected image inventory, and a direct link to the upstream Chrome release notes so engineering teams can act immediately.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N