HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14397Published Modified CNA Chrome

CVE-2026-14397: Out of bounds write in ANGLE in Google Chrome on Mac prior to 150

Out of bounds write in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.46
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds write vulnerability exists in the ANGLE graphics layer of Google Chrome on macOS, affecting all versions prior to 150.0.7871.46. The flaw is reachable over the network and requires no authentication, but does require the victim to visit a crafted HTML page. Successful exploitation enables a sandbox escape, giving an attacker the ability to read, modify, or destroy data and processes outside the browser sandbox. A patched-image rebuild at version 150.0.7871.46 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-14397 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome on macOS base layers. Any image found to carry a Chrome version below 150.0.7871.46 will surface as a critical finding in the pipeline scan results.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. The finding is dispatched to the appropriate team inbox inside each customer organization based on configured ownership rules, so the right people see it without manual triage.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.46 becomes available on HarborGuard once the fix version is registered against the affected image layers. For customers who opt into auto-remediation, HarborGuard triggers an automated rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads, with no manual intervention required.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable through normal browser traffic.

  • AuthenticationNot required

    No account, session token, or prior credential is needed; any unauthenticated remote party can serve the malicious page.

  • Victim interactionRequired

    The victim must visit the attacker-controlled HTML page, meaning the attack depends on a social-engineering or malicious-link step.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no specific race condition, memory layout, or environmental precondition to succeed.

Blast Radius

  • Reads sensitive data from outside the browser sandbox, including files and process memory the renderer should not access.
  • Writes or modifies data in privileged OS contexts beyond the browser's sandboxed process.
  • Can crash or disrupt processes running outside the sandbox, affecting system stability beyond the browser tab.
  • Achieves full sandbox escape, enabling execution of attacker-controlled code at a privilege level above the Chrome renderer process.

How HarborGuard Handles This

Available on HarborGuard: any image bundling Google Chrome below version 150.0.7871.46 on a macOS base layer is flagged as a critical finding the moment the CVE is ingested, typically within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard initiates a rebuild at the fixed version (150.0.7871.46), runs regression tests against the rebuilt image, and opens a pull request against affected workloads automatically. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured owner inbox with full CVSS context and fix-version detail so engineers can act immediately. Compensating controls available in the interim include network-policy rules that restrict outbound browser traffic to allowlisted destinations, reducing exposure to attacker-controlled pages while a patched image is staged.

See how HarborGuard automates this

Fix available

150.0.7871.46
Affected packages
  • Google / Chrome
    < 150.0.7871.46 (from 150.0.7871.46)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H