HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14405Published Modified CNA Chrome

CVE-2026-14405: Uninitialized Use in V8 in Google Chrome prior to 150

Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.46
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An uninitialized memory use vulnerability in the V8 JavaScript engine affects Google Chrome versions prior to 150.0.7871.46. The flaw is reachable over the network and requires no authentication, though the attacker must convince a user to visit a crafted HTML page. Successful exploitation gives the attacker arbitrary code execution inside the Chrome sandbox, with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 150.0.7871.46 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-14405 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or ship a Chromium or Chrome binary. Any image in a connected registry or CI pipeline that carries an affected version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL using the recorded CVSS v3.1 vector, and applies each customer org's compliance policy weighting to determine urgency tier and routing. Triage output is delivered to the inbox or ticketing integration configured for the relevant team inside each customer organization.

Available
Patch

A patched-image rebuild pinned to Chrome 150.0.7871.46 becomes available through HarborGuard once the upstream fix is confirmed, giving any team a drop-in replacement for affected base images. For customers with auto-remediation enabled, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the exploit over the network by directing a victim to a remote crafted HTML page, so the Chrome instance must be reachable via normal browser traffic.

  • AuthenticationNot required

    No account, credential, or prior access to the target system is needed; any user who browses to the attacker-controlled page is a viable target.

  • Victim interactionRequired

    The attacker must socially engineer the victim into visiting a crafted HTML page, making user interaction a necessary step in the attack chain.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

  • Attacker executes arbitrary code within the Chrome renderer sandbox, gaining control over the sandboxed process.
  • Sandboxed code execution with high confidentiality impact allows the attacker to read data accessible to the renderer, including in-page session tokens, form values, and cookies surfaced to the script context.
  • High integrity impact means the attacker can modify page content, intercept or tamper with network requests made from the renderer, and inject malicious script into the browsing session.
  • High availability impact means the attacker can crash or hang the renderer process, disrupting the user's browsing session and any web application running in the affected tab.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14405 is active across all connected registries and pipelines, matching any image that packages a Chrome or Chromium binary below 150.0.7871.46. Because this is a CRITICAL-severity issue with a confirmed fix, HarborGuard makes a patched-image rebuild at 150.0.7871.46 available as soon as the upstream release is verified. For customers with auto-remediation enabled, the platform rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who manage remediation manually, the rebuilt image is surfaced in the HarborGuard dashboard alongside the specific image tags and pipeline stages that are affected, so teams can act without additional triage work.

See how HarborGuard automates this

Fix available

150.0.7871.46
Affected packages
  • Google / Chrome
    < 150.0.7871.46 (from 150.0.7871.46)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H