CVE-2026-14055: Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150
Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an insufficient input validation vulnerability in the Device Trust component of Google Chrome on Windows, affecting versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but does require a victim to interact with a crafted HTML page; additionally, the attacker must have already compromised the renderer process as a prerequisite. Successful exploitation enables a full sandbox escape, granting the attacker read access to confidential data, the ability to tamper with files or system state, and the ability to crash or disrupt the host. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-14055 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image shipping a Chrome version below 150.0.7871.47 on Windows is flagged automatically.
AvailableHarborGuard scores this vulnerability at CVSS 9.6 (Critical) and weights it against each customer organization's compliance policy to determine urgency and routing. Triage tickets are routed to the appropriate team inbox within each customer org based on policy configuration, with Critical-severity findings surfaced at the highest priority tier.
AvailableA patched-image rebuild at Chrome 150.0.7871.47 becomes available on HarborGuard once the fix version is confirmed in the upstream advisory, as it is here. For customers with auto-remediation enabled, HarborGuard triggers a rebuilt image, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted HTML page over the network, so the victim's browser must be reachable from or directed to an attacker-controlled remote origin.
- AuthenticationNot required
No account credentials or prior authentication are needed; the attack is launched against any user who visits the malicious page.
- Victim interactionRequired
The victim must open or be redirected to a crafted HTML page, making this a social-engineering or drive-by-navigation scenario.
- Attack complexityDetail
Exploit reliability is high and no special environmental conditions are required, though the attacker must already control the renderer process as a prerequisite stepping stone before triggering the sandbox escape.
Blast Radius
- Reads confidential data accessible to the browser process, including stored credentials, session tokens, and local files within the browser's reach.
- Modifies files or system state outside the sandbox boundary, including writing to arbitrary user-writable paths on the Windows host.
- Crashes or disrupts the affected Chrome process or dependent services on the host.
- Establishes a beachhead outside the browser sandbox, enabling further lateral movement or privilege escalation on the Windows system.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-14055 is active across all customer environments scanning Chrome-based images on Windows, with matching performed within minutes of CVE publication. A patched-image rebuild at Chrome 150.0.7871.47 is available for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the rebuilt image and associated test results are staged and surfaced in the customer dashboard for one-click promotion. Customers not yet on auto-remediation should prioritize updating any Chrome image below 150.0.7871.47 immediately, given the Critical score and the sandbox-escape impact class.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H