CVE-2026-14152: Out of bounds read and write in ANGLE in Google Chrome prior to 150
Out of bounds read and write in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read and write vulnerability exists in ANGLE, the graphics abstraction layer used by Google Chrome prior to version 150.0.7871.47. The flaw is reachable over the network without authentication, but requires a user to visit a crafted HTML page and assumes the attacker has already compromised the renderer process. Successful exploitation enables a sandbox escape, giving the attacker code execution outside Chrome's renderer sandbox with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-14152 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage extends to custom-built images that bundle Chrome or Chromium as a dependency, not only upstream base images.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.6 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to send findings to the appropriate team inbox within each customer organization based on policy configuration.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.47 becomes available on HarborGuard the moment the fix version is confirmed against an affected image. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the resulting image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page, so the vulnerable service must be reachable from an external or network-adjacent origin.
- AuthenticationNot required
No credentials or account are required; the attacker needs only to get a user to load a crafted page.
- Victim interactionRequired
The victim must visit a crafted HTML page, meaning the attacker depends on a social-engineering step such as a malicious link or redirect.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout, though it does assume the renderer process has already been compromised as a prerequisite.
Blast Radius
- Attacker escapes Chrome's renderer sandbox, gaining code execution in a more privileged process context on the host.
- High confidentiality impact: the attacker can read data outside the sandbox boundary, including files and memory accessible to the browser process.
- High integrity impact: the attacker can write to resources outside the sandbox, enabling modification of files or process memory on the host.
- High availability impact: the attacker can crash or disrupt the browser process and potentially other host processes reachable from the escaped context.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-14152 is active across all connected registries and pipelines, matching any image that packages a Chrome or Chromium binary older than 150.0.7871.47. Given the Critical severity rating of 9.6, this CVE is prioritized at ingestion and routed immediately through each customer's compliance policy weighting. Where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at the patched version, run regression tests against the new image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the finding surfaced in their HarborGuard dashboard with fix-version details and affected image inventory ready for action.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H