CVE-2026-14420: Out of bounds read and write in Dawn in Google Chrome prior to 150
Out of bounds read and write in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.46
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds read and write vulnerability exists in Dawn, the WebGPU implementation inside Google Chrome versions prior to 150.0.7871.46. The flaw is reachable over the network with no authentication required, but a victim must visit a crafted HTML page for the attack to trigger. Successful exploitation enables sandbox escape, giving an attacker the ability to read and write memory outside the Chrome sandbox, execute arbitrary code on the underlying host, and fully compromise confidentiality, integrity, and availability of the affected system. A patched-image rebuild at version 150.0.7871.46 is available on HarborGuard for environments running an affected Chrome version.
HarborGuard Coverage
Detection of CVE-2026-14420 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium runtime.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical), weighted against each environment's compliance policy, and routes findings to the appropriate team inbox within the customer organization based on configured ownership rules.
AvailableA patched-image rebuild pinned to Chrome 150.0.7871.46 becomes available on HarborGuard the moment the fix version is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page hosted on an attacker-controlled server.
- AuthenticationNot required
No account or credential of any kind is required; the exploit works against any unauthenticated browser session.
- Victim interactionRequired
The victim must navigate to or be redirected to the crafted HTML page, requiring at minimum a click on a malicious link or a drive-by redirect.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race wins, or memory-layout prerequisites.
Blast Radius
- A successful sandbox escape lets the attacker execute arbitrary code as the OS-level user running Chrome, outside the browser sandbox.
- The attacker reads any data accessible to that OS user, including stored credentials, session tokens, and files on disk.
- The attacker writes or modifies files and persisted data accessible to that OS user, including application data and configuration.
- The attacker can crash or destabilize the host process and dependent services, causing a loss of availability.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-14420 is active across connected registries and pipelines, matching any image that packages a Chrome or Chromium binary below version 150.0.7871.46. Given the Critical severity (CVSS 9.6) and confirmed sandbox-escape impact, this CVE is prioritized at the top of the triage queue under default HarborGuard policy. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before merge, the PR is opened and held for review with full diff and test results attached. Customers who cannot immediately upgrade should consider isolating workloads that run Chrome as a headless or embedded browser behind network policy rules that restrict outbound access to untrusted origins.
Fix available
- Google / Chrome< 150.0.7871.46 (from 150.0.7871.46)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H