HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14113Published Modified CNA Chrome

CVE-2026-14113: Use after free in Updater in Google Chrome on Windows prior to 150

Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Updater component of Google Chrome on Windows in versions prior to 150.0.7871.47. The flaw is reachable over the network without authentication, but requires the attacker to have already compromised the renderer process and to trick a user into visiting a crafted HTML page. Successful exploitation enables a sandbox escape, giving the attacker code execution outside Chrome's sandboxed renderer with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-14113 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication by ingesting from upstream feeds including the Chrome release channel. Coverage extends to custom-built images that bundle a Chrome or Chromium binary, not only official base images.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL (CVSS v3.1) and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is available to adjust severity thresholds and route findings to the appropriate team inbox inside each customer organization.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available in HarborGuard the moment the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the affected host must be reachable or the user must browse to an attacker-controlled resource over the internet.

  • AuthenticationNot required

    No credentials are needed; the attack is initiated by a remote unauthenticated party serving a malicious page.

  • Victim interactionRequired

    The targeted user must visit and render the crafted HTML page, making social engineering or a malicious ad/link a necessary part of the attack chain.

  • Attack complexityDetail

    Exploit conditions are low-complexity and largely free of environmental dependencies, though the attacker must already have compromised the renderer process as a prerequisite before triggering the Updater use-after-free.

Blast Radius

  • Escapes Chrome's renderer sandbox, gaining code execution in a higher-privilege process context on the Windows host.
  • Reads arbitrary files and stored secrets accessible to the Chrome process, including saved passwords, cookies, and session tokens.
  • Writes or modifies files and registry entries on the host, enabling persistence or tampering with locally stored data.
  • Crashes or destabilizes the browser process and, depending on post-exploitation behavior, can disrupt availability of the affected Windows system.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14113 activates against any image found to bundle a vulnerable Chrome build on Windows, covering both upstream base images and internally built images. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at Chrome 150.0.7871.47, executes a regression test run against the rebuilt image, and opens a pull request targeting affected workloads. For high and critical-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Teams without auto-remediation enabled can act on the finding directly from the HarborGuard dashboard, where the fix version and affected image manifest are surfaced alongside the full CVSS breakdown.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H