CVE-2026-14417: Use after free in Dawn in Google Chrome prior to 150
Use after free in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.46
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in Dawn, the WebGPU implementation in Google Chrome, allows a remote attacker to exploit the browser through a specially crafted HTML page. The attack is reachable over the network, requires no authentication, but does need the victim to visit a malicious page; the CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning the exploit can break out of the Chrome sandbox and affect resources beyond the browser process itself. Successful exploitation gives the attacker full read, write, and availability impact on the host, including confidential data, persistent modification, and potential code execution outside the sandbox. A patched-image rebuild at version 150.0.7871.46 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-14417 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium. Any image carrying a Chrome version below 150.0.7871.46 is flagged automatically.
AvailableHarborGuard scores this vulnerability at CVSS 9.6 (Critical) and surfaces it accordingly in each customer org's priority queue. Per-environment compliance policy weighting is applied so the finding is routed to the team responsible for browser-runtime images, with severity-appropriate SLA thresholds applied automatically.
AvailableA patched-image rebuild targeting Chrome 150.0.7871.46 becomes available through HarborGuard as soon as the fixed base image or package is resolvable from upstream. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs the configured regression suite, and opens a pull request against each affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's browser over the network by serving a crafted HTML page from a remote origin.
- AuthenticationNot required
No account or credential of any kind is needed; any user browsing to the malicious page is a valid target.
- Victim interactionRequired
The victim must visit the attacker-controlled page, making social engineering (phishing link, malicious ad, compromised site) a necessary step.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.
Blast Radius
- The attacker reads confidential data accessible to the Chrome process, including stored credentials, cookies, and session tokens.
- The attacker writes or modifies data within the browser context and, via sandbox escape, on the underlying host filesystem or process space.
- The scope change (S:C) means impact extends beyond the browser sandbox, so host-level processes and resources are reachable after exploitation.
- The attacker can crash or destabilize the affected Chrome process or, post-escape, other services on the host, disrupting availability.
How HarborGuard Handles This
Available on HarborGuard: detection of this Critical use-after-free fires automatically against any image that packages Chrome below 150.0.7871.46, covering both upstream base images and internally built images. For customers with auto-remediation enabled, HarborGuard triggers a rebuild at the fixed version (150.0.7871.46), executes the regression test suite, and opens a pull request against affected workloads, with a median time to merged patch PR of around 90 minutes for critical-severity findings. Where compliance policy requires manual approval, the rebuilt image and full CVSS detail are staged for reviewer sign-off. Because this vulnerability carries a scope-change rating and enables sandbox escape leading to full host compromise, customers who cannot immediately apply the patch are advised to enforce network policies that restrict outbound browser traffic to known-good origins and to consider disabling WebGPU (the Dawn feature surface) via feature-flag or enterprise policy until the fixed image is deployed.
Fix available
- Google / Chrome< 150.0.7871.46 (from 150.0.7871.46)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H