CVE-2026-14411: Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.46
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Insufficient input validation in ANGLE, the graphics translation layer inside Google Chrome, allows a remote attacker to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network and requires no authentication, though a victim must visit a malicious page. Successful exploitation gives the attacker code execution outside the Chrome sandbox, effectively breaking the primary isolation boundary that prevents web content from accessing the host system. A patched-image rebuild at version 150.0.7871.46 is available on HarborGuard for environments running an affected Chrome version.
HarborGuard Coverage
Detection of CVE-2026-14411 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Chrome or Chromium-based tooling.
AvailableHarborGuard scores this CVE at 9.6 CRITICAL using the CVSS v3.1 vector, and triage routing is available to surface it to the appropriate team within each customer org based on per-environment compliance policy weighting.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.46 becomes available for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against the affected workload automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing a victim to a crafted HTML page, so the Chrome instance must be reachable through normal browser traffic.
- AuthenticationNot required
No credentials or account are needed; any anonymous visitor to the attacker-controlled page is a viable target.
- Victim interactionRequired
The victim must open the crafted HTML page in an affected Chrome browser, making this a social-engineering or malicious-link scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- Breaks out of the Chrome renderer sandbox, giving the attacker a foothold at the privilege level of the browser process on the host.
- Reads files and credentials accessible to the user running Chrome, including session tokens, saved passwords, and local configuration data.
- Writes or modifies files on the host filesystem within the user's permission scope, enabling persistence or tampering with local application data.
- Can crash or destabilize the browser process and any dependent services, causing denial of service for the affected user session.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome older than 150.0.7871.46 is flagged immediately upon scan, with this CVE surfaced at CRITICAL severity. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a pull request against the affected workload; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuild is staged and the PR is held in draft pending reviewer sign-off. Customers who cannot immediately update are encouraged to apply network-policy controls that restrict which internal services can be reached from hosts running the affected Chrome version, and to evaluate whether the workload requires a browser component at all.
Fix available
- Google / Chrome< 150.0.7871.46 (from 150.0.7871.46)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H