HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14090Published Modified CNA Chrome

CVE-2026-14090: Insufficient validation of untrusted input in CameraCapture in Google Chrome on ChromeOS prior to 150

Insufficient validation of untrusted input in CameraCapture in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds memory read vulnerability exists in the CameraCapture component of Google Chrome on ChromeOS, affecting versions prior to 150.0.7871.47. The flaw is reachable over the network with no authentication or user interaction required: a remote attacker can trigger it by delivering a crafted HTML page. Successful exploitation gives the attacker read access to memory contents, the ability to tamper with data, and the ability to crash the affected process. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-14090 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built ChromeOS-based images. Any image containing a vulnerable Chrome version below 150.0.7871.47 is flagged automatically.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine urgency and priority. Findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available
Patch

A patched-image rebuild at Chrome version 150.0.7871.47 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network; the vulnerable component is exposed to remote connections and can be triggered by serving a crafted HTML page.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed to deliver the exploit.

  • Victim interactionNot required

    No action is required from the victim; the attacker can trigger the vulnerability without any user participation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads out-of-bounds memory contents, which may include session tokens, credentials, or other sensitive data held in the Chrome process.
  • The attacker can tamper with in-memory data structures, potentially altering application state or injecting malicious content.
  • The attacker can crash the affected Chrome process, denying camera capture functionality to the user.
  • All three impacts (read, write, crash) are rated High in the CVSS record, meaning each represents full loss of confidentiality, integrity, or availability within the affected scope.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome on ChromeOS below version 150.0.7871.47 are matched against CVE-2026-14090 within minutes of the advisory entering upstream feeds. A rebuilt image at the fixed version (150.0.7871.47) is available for any environment where a vulnerable version is detected. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes regression tests, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is surfaced with full CVSS context and fix-version details so the responsible team can act immediately.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H