HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14056Published Modified CNA Chrome

CVE-2026-14056: Insufficient validation of untrusted input in Media in Google Chrome prior to 150

Insufficient validation of untrusted input in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in the Media component of Google Chrome versions prior to 150.0.7871.47. The flaw is reachable over the network and requires no authentication, but does require the attacker to first compromise the renderer process and then trick a user into opening a crafted video file. Successful exploitation allows a remote attacker to break out of Chrome's sandbox, gaining full access to the host system with the ability to read, modify, or destroy data and disrupt services. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-14056 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle or depend on Chrome. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available
Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each environment's compliance policy to determine priority. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at Chrome version 150.0.7871.47 becomes available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network, as the attack vector is network-exposed (AV:N), meaning any internet-facing or network-accessible Chrome instance is in scope.

  • AuthenticationNot required

    No account or credential is needed to initiate the attack; the crafted video file can be delivered to an unauthenticated user (PR:N).

  • Victim interactionRequired

    The victim must open or interact with a crafted video file, making this exploit dependent on a social-engineering step that delivers the malicious media to the target user (UI:R).

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors, though it does require a prior renderer process compromise as a prerequisite.

Blast Radius

  • The attacker escapes Chrome's sandbox and gains code execution in the context of the host OS process, bypassing the browser's primary isolation boundary.
  • With sandbox escape achieved, the attacker reads files accessible to the Chrome process user, including stored credentials, session cookies, and local application data.
  • The attacker modifies or deletes files on the host, including configuration files, application data, or other user-owned resources.
  • Full confidentiality, integrity, and availability impact (C:H/I:H/A:H) means the attacker can crash, corrupt, or exfiltrate from the affected host without further privilege escalation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14056 is active across all connected customer registries and build pipelines, matching images that include Chrome below version 150.0.7871.47 within minutes of scan ingestion. Given the Critical severity (CVSS 9.6) and the scope-changed sandbox escape impact, this CVE is prioritized at the highest triage tier. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding affected images at the patched version 150.0.7871.47, executing a regression test run, and opening a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or change-control requirements restrict automated remediation, HarborGuard surfaces the finding with full remediation guidance so teams can act manually against their own timelines.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H