HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14120Published Modified CNA Chrome

CVE-2026-14120: Inappropriate implementation in DevTools in Google Chrome prior to 150

Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the DevTools component of Google Chrome prior to version 150.0.7871.47. An attacker who has already compromised the Chrome renderer process can exploit this flaw by delivering a crafted HTML page to a victim, bypassing the browser sandbox and gaining capabilities outside the renderer's normally restricted environment. Successful exploitation gives the attacker full read, write, and availability impact on the host, including data disclosure, content tampering, and service disruption. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection of CVE-2026-14120 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. This capability covers custom-built images that bundle Chrome or Chromium, not just images pulled from public repositories.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.6 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox inside each customer organization is available as part of the standard pipeline.

Available
Patch

A patched-image rebuild at Chrome version 150.0.7871.47 is available on HarborGuard for any environment whose scanned images include an affected Chrome version. For customers who opt into auto-remediation, HarborGuard is capable of executing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim's browser over the network, typically by serving a crafted HTML page from a remote host.

  • AuthenticationNot required

    No credentials or account are needed; the attacker only requires the victim to load a page.

  • Victim interactionRequired

    The victim must navigate to or load the attacker-controlled HTML page, making this a social-engineering vector requiring user action.

  • Attack complexityDetail

    The exploit is reliable and does not depend on race conditions or specific environmental conditions, though it does require a prior renderer compromise as a stepping stone.

Blast Radius

  • A successful attacker escapes the Chrome sandbox, gaining execution capabilities outside the renderer's restricted process.
  • Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable by the attacker.
  • The attacker can write or modify data on the host, including files and persistent browser state.
  • The host process or dependent services can be crashed or disrupted, causing loss of availability.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-14120 is active across all connected registries and pipelines, matching images that include Chrome or Chromium builds below 150.0.7871.47. Where compliance policy permits, HarborGuard can trigger a rebuild at the patched version (150.0.7871.47), run a regression test pass, and open a pull request against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes. For environments where auto-remediation is not enabled, the findings are routed to the designated team inbox with CVSS 9.6 severity context so engineers can act manually. Given the sandbox-escape impact and the over-the-network delivery path, prioritizing this update is strongly recommended for any image that ships Chrome.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H