HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14152Published Modified CNA Chrome

CVE-2026-14152: Out of bounds read and write in ANGLE in Google Chrome prior to 150

Out of bounds read and write in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read and write vulnerability exists in ANGLE, the graphics abstraction layer used by Google Chrome prior to version 150.0.7871.47. The flaw is reachable over the network without authentication, but requires a user to visit a crafted HTML page and assumes the attacker has already compromised the renderer process. Successful exploitation enables a sandbox escape, giving the attacker code execution outside Chrome's renderer sandbox with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-14152 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage extends to custom-built images that bundle Chrome or Chromium as a dependency, not only upstream base images.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to send findings to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available on HarborGuard the moment the fix version is confirmed against an affected image. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the resulting image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing a victim to a crafted HTML page, so the vulnerable service must be reachable from an external or network-adjacent origin.

  • AuthenticationNot required

    No credentials or account are required; the attacker needs only to get a user to load a crafted page.

  • Victim interactionRequired

    The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering step such as a malicious link or redirect.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout, though it does assume the renderer process has already been compromised as a prerequisite.

Blast Radius

  • Attacker escapes Chrome's renderer sandbox, gaining code execution in a more privileged process context on the host.
  • High confidentiality impact: the attacker can read data outside the sandbox boundary, including files and memory accessible to the browser process.
  • High integrity impact: the attacker can write to resources outside the sandbox, enabling modification of files or process memory on the host.
  • High availability impact: the attacker can crash or disrupt the browser process and potentially other host processes reachable from the escaped context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14152 is active across all connected registries and pipelines, matching any image that packages a Chrome or Chromium binary older than 150.0.7871.47. Given the Critical severity rating of 9.6, this CVE is prioritized at ingestion and routed immediately through each customer's compliance policy weighting. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the patched version, run regression tests against the new image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the finding surfaced in their HarborGuard dashboard with fix-version details and affected image inventory ready for action.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H