Google Chrome versions before 150.0.7871.46 are affected by CVE-2026-14409, a V8 implementation flaw that can permit arbitrary code execution inside the browser sandbox after a user performs specific interface gestures on crafted HTML. Windows users and administrators should update Chrome through their approved update process, restart the browser if required, and verify that the complete installed version is 150.0.7871.46 or later.
Chromium classifies the issue as Low severity, while the CISA Authorized Data Publisher assessment assigns it a CVSS 3.1 score of 7.5, categorized as High. Those ratings come from different assessment frameworks. The operational conclusion is the same: remove affected Chrome versions and confirm the result with current endpoint evidence.
The immediate procedure is straightforward:
Do not close the finding based only on a major-version report such as “Chrome 150.” Chrome versions contain four numeric components, and all four are necessary to determine whether the installation has crossed the fixed-version boundary.
If Chrome remains below the threshold after an attempted update, the device has not met the documented remediation condition. Users in managed organizations should contact the responsible administrator or help desk rather than installing software through an unapproved source.
The supplied vulnerability information does not establish a registry workaround, browser flag, site-blocking rule, or configuration change that removes the vulnerable implementation. Remediation should be based on reaching the corrected version rather than on a speculative workaround.
That record establishes the following scope:
The structured affected-version fields can appear confusing when read separately, but the prose vulnerability description and the NIST product configuration support the same practical interpretation: Chrome versions before 150.0.7871.46 are affected.
The public record does not establish a platform-specific release schedule, rollout percentage, deployment duration, or date by which every device should have received the update. Administrators should avoid substituting assumptions about rollout completion for direct evidence from the endpoint.
For CVE-2026-14409, that context is inside a sandbox. The supplied material does not document an escape from the sandbox, administrative privileges, a transition into the Windows kernel, persistence outside Chrome, or unrestricted control of the endpoint.
The accurate summary is:
The record also does not establish an exploit chain involving another vulnerability. Claims that the flaw is combined with a privilege-escalation issue, reaches a more trusted process, or produces persistent host compromise would require separate evidence.
The user-interaction requirement is similarly important but should not be mistaken for a fix. The official description says an attacker must persuade the user to perform specific interface gestures. The supplied material does not disclose exactly what those gestures are, so defenders should not invent a click sequence, social-engineering scenario, delivery method, or affected interface element.
CISA-ADP’s assessment independently records required user interaction and High attack complexity. Those characteristics may make exploitation more demanding, but users cannot reliably avoid an undisclosed trigger based on the short public description. Updating remains the supported response.
A concise internal description would be:
The CVE record does not define how a particular management console describes an update as downloaded, installed, pending, successful, active, or compliant. Those labels must be interpreted according to the management product’s own documentation.
For this vulnerability, a successful deployment status is useful operational evidence, but it is not the final closure condition. The closure condition is a current, complete Chrome version reported by the endpoint.
Administrators should also distinguish between “not detected” and “not affected.” If inventory data is missing, stale, or unable to report the complete browser version, the device’s status is unknown. It may be handled as an exception, but it should not silently enter the compliant population.
Administrators should therefore not copy Chrome’s 150.0.7871.46 threshold into an Edge or third-party browser compliance rule without product-specific confirmation.
The product-specific rule is:
For mixed Windows environments, vulnerability tracking should remain separated by product. An Edge installation should not be declared vulnerable—or fixed—solely by comparing its version with the Chrome threshold. Likewise, updating Edge does not demonstrate that a separately installed copy of Chrome has been remediated.
This distinction is especially important in enterprise inventory systems that group applications into broad browser or Chromium-family categories. The scanner or asset system should retain enough product identity to show which executable and version produced the evidence.
Those facts support a measured response. Organizations may reasonably prioritize vulnerabilities with known exploitation or more direct host-level consequences ahead of this issue when resources are constrained.
They do not support indefinite deferral. The version boundary is explicit, the documented consequence is attacker-controlled code execution within the stated context, and compliance can be verified objectively.
The practical response is:
A useful finding description should therefore include the product, complete version threshold, interaction requirement, documented execution context, and rating provenance.
For example:
For CVE-2026-14409, the most reliable decision rests on evidence administrators can collect directly: which devices have Google Chrome installed, which complete version each installation currently reports, and whether that version is at least 150.0.7871.46.
Future changes to the public record may add technical detail or alter the recorded exploitation context. Fleet closure should nevertheless remain tied to current endpoint evidence. Remove the affected Chrome builds, verify every in-scope installation with its full four-part version, and retain explicit exceptions for the systems that cannot yet be confirmed.
Chromium classifies the issue as Low severity, while the CISA Authorized Data Publisher assessment assigns it a CVSS 3.1 score of 7.5, categorized as High. Those ratings come from different assessment frameworks. The operational conclusion is the same: remove affected Chrome versions and confirm the result with current endpoint evidence.
Update and Verify Chrome Now
The immediate procedure is straightforward:- Use Chrome’s built-in update facility or the organization’s approved software-management process.
- Allow the update to complete.
- Restart or relaunch Chrome if required to activate the new build.
- Check the installed version again after Chrome reopens.
- Confirm that the complete version is 150.0.7871.46 or later.
Do not close the finding based only on a major-version report such as “Chrome 150.” Chrome versions contain four numeric components, and all four are necessary to determine whether the installation has crossed the fixed-version boundary.
| Reported Google Chrome version | CVE status under the published range | Required response |
|---|---|---|
| Earlier than 150.0.7871.46 | Affected | Update, restart if required, and verify again |
| Exactly 150.0.7871.46 | Outside the documented affected range | Record the complete verified version |
| Later than 150.0.7871.46 | Outside the documented affected range | Maintain normal browser update management |
| Version unavailable or incomplete | Unknown | Obtain current four-part version evidence before closing the finding |
The supplied vulnerability information does not establish a registry workaround, browser flag, site-blocking rule, or configuration change that removes the vulnerable implementation. Remediation should be based on reaching the corrected version rather than on a speculative workaround.
The Vulnerable Boundary Ends at Chrome 150.0.7871.46
The National Vulnerability Database record identifies Google Chrome versions before 150.0.7871.46 as affected. Its description says a remote attacker could persuade a user to perform specific user-interface gestures on crafted HTML and thereby execute arbitrary code inside a sandbox.That record establishes the following scope:
- The affected product named in the record is Google Chrome.
- The vulnerable component is V8.
- The documented attack input is crafted HTML.
- The contributed CVSS assessment says existing privileges are not required.
- User interaction is required.
- Attack complexity is rated High.
- The documented consequence is arbitrary code execution inside a sandbox.
- The record does not document a sandbox escape.
The structured affected-version fields can appear confusing when read separately, but the prose vulnerability description and the NIST product configuration support the same practical interpretation: Chrome versions before 150.0.7871.46 are affected.
The public record does not establish a platform-specific release schedule, rollout percentage, deployment duration, or date by which every device should have received the update. Administrators should avoid substituting assumptions about rollout completion for direct evidence from the endpoint.
What the Documented Impact Does—and Does Not—Show
Arbitrary code execution is a meaningful security consequence. If exploitation succeeds, the attacker can cause chosen code to execute in the context described by the vulnerability record.For CVE-2026-14409, that context is inside a sandbox. The supplied material does not document an escape from the sandbox, administrative privileges, a transition into the Windows kernel, persistence outside Chrome, or unrestricted control of the endpoint.
The accurate summary is:
That limitation should be stated prominently, but it does not make the update optional. Administrators should remediate the affected browser versions without presenting the CVE as proof that an attacker can independently take complete control of Windows.CVE-2026-14409 can permit arbitrary code execution inside a sandbox after a victim performs specific user-interface gestures on crafted HTML.
The record also does not establish an exploit chain involving another vulnerability. Claims that the flaw is combined with a privilege-escalation issue, reaches a more trusted process, or produces persistent host compromise would require separate evidence.
The user-interaction requirement is similarly important but should not be mistaken for a fix. The official description says an attacker must persuade the user to perform specific interface gestures. The supplied material does not disclose exactly what those gestures are, so defenders should not invent a click sequence, social-engineering scenario, delivery method, or affected interface element.
CISA-ADP’s assessment independently records required user interaction and High attack complexity. Those characteristics may make exploitation more demanding, but users cannot reliably avoid an undisclosed trigger based on the short public description. Updating remains the supported response.
Why Ratings Differ
Security teams do not need to decide that one severity label invalidates the other. Tickets should preserve the attribution of each rating and then focus remediation on the explicit affected-version range.Chromium classifies CVE-2026-14409 as Low, while CISA-ADP assigns a 7.5 High CVSS 3.1 score. These are separate assessments produced under different frameworks. NVD displays the CISA-ADP contribution, but the available record does not present the 7.5 score as an independently generated NIST score.
The contributed vector isCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. It records a network attack vector, High complexity, no privileges required, required user interaction, unchanged scope, and High confidentiality, integrity, and availability impact values.
CISA-ADP’s SSVC contribution lists exploitation as none, automatable as no, and technical impact as total. “Exploitation: none” means that this contribution does not identify known exploitation at the time represented by the assessment; it is not a guarantee that the status cannot change.
The weakness classification was revised in the record from CWE-269 to CWE-693. That metadata history is secondary to the actionable facts: the affected product is Chrome, the threshold is 150.0.7871.46, and the documented consequence is code execution inside a sandbox. The record history also shows different SSVC timestamps, but the supplied data does not establish why the timestamp changed or whether the update was merely administrative.
A concise internal description would be:
This phrasing preserves both assessments without overstating the documented outcome.CVE-2026-14409 affects Google Chrome before 150.0.7871.46 and can permit arbitrary code execution inside a sandbox after complex, user-assisted interaction with crafted HTML. Chromium rates the issue Low; CISA-ADP assigns a 7.5 High CVSS score and records exploitation as none.
Managed Fleets Need Current Endpoint Evidence
For managed environments, the objective is to identify Chrome installations below 150.0.7871.46, move them to that version or later through an approved process, and collect fresh evidence showing the resulting installed version.The CVE record does not define how a particular management console describes an update as downloaded, installed, pending, successful, active, or compliant. Those labels must be interpreted according to the management product’s own documentation.
For this vulnerability, a successful deployment status is useful operational evidence, but it is not the final closure condition. The closure condition is a current, complete Chrome version reported by the endpoint.
Action Checklist for Administrators
- Inventory Google Chrome installations using the complete four-part version number.
- Flag every installation reporting a version below 150.0.7871.46.
- Use the organization’s approved software-management process to update affected installations.
- Restart Chrome where required to activate the installed update.
- Obtain fresh version evidence after remediation.
- Treat stale, missing, partial, or unavailable version data as unknown rather than compliant.
- Track offline and intermittently connected devices as explicit exceptions.
- Include shared systems, kiosks, virtual desktops, test devices, and deployment images where they are in scope.
- Check whether application-control or change-management policies are preventing Chrome from updating.
- Preserve pre-remediation and post-remediation version evidence in the ticket or compliance record.
- Record Chromium’s Low rating and CISA-ADP’s 7.5 High score as separate assessments.
- Do not describe the CISA-ADP score as an NIST-generated rating.
- Continue monitoring authoritative vulnerability records for changes to affected scope, exploitation status, or remediation guidance.
This rule prevents common false closures. A device should not be marked compliant merely because an update command was sent, a deployment job returned success, or the endpoint reported only “Chrome 150.” Current four-part version evidence is required.Every in-scope Chrome installation must report version 150.0.7871.46 or later, or appear on an owned exception list with a documented reason, responsible party, and follow-up plan.
Administrators should also distinguish between “not detected” and “not affected.” If inventory data is missing, stale, or unable to report the complete browser version, the device’s status is unknown. It may be handled as an exception, but it should not silently enter the compliant population.
Chrome Evidence Does Not Establish an Edge Version Threshold
The affected-product information for CVE-2026-14409 names Google Chrome. It does not directly establish that Microsoft Edge, every Chromium-derived browser, or every application that incorporates related technology is affected under the same conditions.Administrators should therefore not copy Chrome’s 150.0.7871.46 threshold into an Edge or third-party browser compliance rule without product-specific confirmation.
The product-specific rule is:
Different products can have different version schemes, patch branches, release processes, and integration details. The presence of a Chrome V8 vulnerability in the public record does not by itself prove that another browser has the same affected boundary or corrected version.Close a Chrome finding with current Chrome version evidence. Evaluate Microsoft Edge and other browsers using the affected versions and corrected builds documented by their respective vendors.
For mixed Windows environments, vulnerability tracking should remain separated by product. An Edge installation should not be declared vulnerable—or fixed—solely by comparing its version with the Chrome threshold. Likewise, updating Edge does not demonstrate that a separately installed copy of Chrome has been remediated.
This distinction is especially important in enterprise inventory systems that group applications into broad browser or Chromium-family categories. The scanner or asset system should retain enough product identity to show which executable and version produced the evidence.
Prioritize the Update Without Overstating the Threat
The available record does not describe CVE-2026-14409 as actively exploited. The CISA-ADP SSVC assessment lists exploitation as none and automatable as no. The CVSS assessment records High attack complexity, and both the description and vector require user interaction.Those facts support a measured response. Organizations may reasonably prioritize vulnerabilities with known exploitation or more direct host-level consequences ahead of this issue when resources are constrained.
They do not support indefinite deferral. The version boundary is explicit, the documented consequence is attacker-controlled code execution within the stated context, and compliance can be verified objectively.
The practical response is:
- Identify affected Chrome installations.
- Update them to 150.0.7871.46 or later.
- Restart the browser if required.
- collect a fresh four-part version report.
- Keep devices with incomplete evidence open or place them on a managed exception list.
A useful finding description should therefore include the product, complete version threshold, interaction requirement, documented execution context, and rating provenance.
For example:
That description is concise enough for a ticket while preserving the distinctions needed for accurate prioritization.Google Chrome versions before 150.0.7871.46 are affected by CVE-2026-14409. Exploitation requires specific user-interface gestures on crafted HTML and can permit arbitrary code execution inside a sandbox. Chromium classifies the issue as Low, while CISA-ADP assigns a CVSS 3.1 score of 7.5 High. Update affected Chrome installations and verify the complete installed version after remediation.
Administrator Validation Scenarios
Several common endpoint states require different handling:Chrome Reports 149.x or Earlier
The installation is below 150.0.7871.46 and therefore falls within the documented affected range. Assign the update, restart Chrome if necessary, and collect new version evidence.Chrome Reports 150.0.7871.45
The major version is 150, but the complete version remains below the threshold. The installation is affected and should not be marked compliant.Chrome Reports 150.0.7871.46
The installation is outside the documented affected range. Preserve the version and evidence timestamp in the remediation record.Chrome Reports a Later Complete Version
The installation is outside the documented affected range. Normal browser update management should continue because clearing this specific threshold does not replace ongoing patching.Inventory Reports Only “Chrome 150”
The evidence is incomplete. Obtain the remaining version components before making a compliance decision.The Deployment Tool Says “Successful,” but Version Data Is Old
Keep the finding open. The deployment result shows activity, while the stale browser version leaves the current endpoint state unconfirmed.The Endpoint Is Offline
Track it as an exception. Define an owner and follow-up action for when the device reconnects rather than counting it as either remediated or unaffected.Chrome Is Not Detected
Confirm that the inventory result is current and reliable. If the endpoint is accurately shown not to have Chrome installed, the Chrome-specific finding does not apply. If detection is unreliable or stale, classify the status as unknown until product presence can be established.The Device Has Both Chrome and Edge
Evaluate the Chrome installation against 150.0.7871.46. Handle Edge separately using Microsoft’s product-specific information. Do not treat one browser’s update state as evidence for the other.What Windows Defenders Should Carry Forward
The immediate decision is uncomplicated even though the public record contains different severity signals:- Google Chrome versions before 150.0.7871.46 are affected.
- Users and administrators should update Chrome through an approved process, restart it if required, and verify version 150.0.7871.46 or later.
- Verification must use the complete four-part version.
- The attack requires specific user-interface gestures on crafted HTML and is rated High complexity by the contributed CVSS assessment.
- The documented result is arbitrary code execution inside a sandbox.
- Chromium’s Low severity and CISA-ADP’s 7.5 High score are separate assessments.
- CISA-ADP’s SSVC contribution lists exploitation as none and automatable as no.
- The affected product identified in the record is Google Chrome.
- Chrome’s version threshold should not be applied automatically to Edge or another browser.
- Managed-fleet remediation should remain open until current endpoint evidence proves that each in-scope Chrome installation is outside the affected range.
For CVE-2026-14409, the most reliable decision rests on evidence administrators can collect directly: which devices have Google Chrome installed, which complete version each installation currently reports, and whether that version is at least 150.0.7871.46.
Future changes to the public record may add technical detail or alter the recorded exploitation context. Fleet closure should nevertheless remain tied to current endpoint evidence. Remove the affected Chrome builds, verify every in-scope installation with its full four-part version, and retain explicit exceptions for the systems that cannot yet be confirmed.
References
- Primary source: NVD / Chromium
Published: 2026-07-11T15:37:55-07:00
Loading…
nvd.nist.gov - Security advisory: MSRC
Published: 2026-07-11T15:37:55-07:00
Original feed URL
Loading…
msrc.microsoft.com - Related coverage: security.snyk.io
Loading…
security.snyk.io - Related coverage: chromium.org
Loading…
www.chromium.org - Related coverage: blog.chromium.org
Loading…
blog.chromium.org