HarborGuard / CVE
Back to search
HIGHCVE-2026-9880Published Modified CNA Chrome

CVE-2026-9880: Insufficient validation of untrusted input in WebGL in Google Chrome prior to 148

Insufficient validation of untrusted input in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Insufficient input validation in the WebGL component of Google Chrome (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the Chrome renderer process to escape the browser sandbox via a crafted HTML page. The vulnerability is reachable over the network, requires no authentication, but does need the victim to visit a malicious page, and the attacker must already control the renderer process, raising practical complexity. Successful exploitation gives the attacker full read, write, and availability impact outside the browser sandbox, effectively achieving code execution in the context of the host user. A patched-image rebuild at 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9880 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium installation. Any image carrying a Chrome version below 148.0.7778.216 will surface as affected.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to reflect business context. Triage results are routable to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

A patched-image rebuild pinned to Chrome 148.0.7778.216 becomes available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard is capable of triggering the rebuild, running regression tests against it, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target Chrome instance must be reachable in the sense that the user browses to an attacker-controlled URL.

  • AuthenticationNot required

    No account credentials or prior authentication are needed; any user browsing to the malicious page is a valid target.

  • Victim interactionRequired

    The victim must open a crafted HTML page, meaning the attacker relies on social engineering or a malicious link to get the user to navigate there.

  • Attack complexityDetail

    Attack complexity is rated High because the attacker must have already compromised the Chrome renderer process before this vulnerability can be used to escape the sandbox, introducing a significant prerequisite condition.

Blast Radius

  • An attacker who escapes the sandbox reads files and data accessible to the host OS user running Chrome, including stored credentials, session data, and local documents.
  • The attacker can write or modify files on the host filesystem within the permissions of that OS user, enabling persistence mechanisms or tampering with local data.
  • The attacker can crash or disrupt the browser process and any dependent services running under the same user context.
  • Because the scope changes (S:C in the CVSS vector), impact extends beyond the browser itself to other resources on the host system.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active the moment the advisory is ingested, covering every image in connected registries and pipelines that bundles a Chrome or Chromium binary below 148.0.7778.216. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the affected image at the patched version, executing a regression test run, and opening a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where compliance policy requires manual review before merge, the rebuilt image and test results are staged and routed to the designated owner inbox for approval. Customers who cannot immediately update are advised to consider network-policy controls that restrict which internal services can load arbitrary external URLs, and to evaluate whether any pipeline steps invoke Chrome in headless mode with untrusted input, which would represent an additional exposure surface worth isolating.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
148.0.7778.216
Affected Products
1

Fix available

148.0.7778.216
Affected packages
  • Google / Chrome
    < 148.0.7778.216 (from 148.0.7778.216)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References