HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14121Published Modified CNA Chrome

CVE-2026-14121: Use after free in Chromoting in Google Chrome on Linux prior to 150

Use after free in Chromoting in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in the Chromoting component of Google Chrome on Linux allows a remote attacker to execute arbitrary code by sending malicious network traffic. No authentication is required and no victim interaction is needed, making this exploitable directly over the network against any exposed instance. Successful exploitation gives the attacker full code execution in the context of the affected process. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Chrome on Linux.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and makes that score available alongside per-environment compliance policy weighting, routing findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target service over the network; any internet-exposed or internally reachable Chrome Chromoting instance is in scope.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed to trigger the vulnerability.

  • Victim interactionNot required

    The exploit is delivered entirely through malicious network traffic; no user action such as clicking a link or opening a file is required.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout dependencies, or other environmental factors to succeed.

Blast Radius

  • The attacker executes arbitrary code in the context of the Chromoting process, gaining direct control over that process on the affected Linux host.
  • Confidentiality is fully compromised: the attacker can read any data accessible to the process, including credentials, session state, and files reachable under the process user.
  • Integrity is fully compromised: the attacker can write, modify, or delete data and configuration accessible to the process.
  • Availability is fully compromised: the attacker can crash or hang the affected service at will.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14121 is active across all connected environments, and a patched-image rebuild at Chrome 150.0.7871.47 is available the moment an affected image is identified. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads automatically; for high and critical severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. For customers who have not opted into auto-remediation, HarborGuard surfaces the finding with CVSS scoring and compliance policy context so that the owning team can act immediately. Given the network-reachable, no-auth, no-interaction attack surface, upgrading to 150.0.7871.47 or isolating Chromoting traffic with network policy controls is the recommended immediate action.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H