CVE-2026-14419: Update Chrome to 150.0.7871.46 for Skia Sandbox Escape

Affected: Google Chrome versions earlier than 150.0.7871.46
Action:
Update Chrome to 150.0.7871.46 or later, then relaunch it
Current public status: CISA’s SSVC record lists exploitation as none
Google Chrome versions earlier than 150.0.7871.46 contain CVE-2026-14419, a critical use-after-free vulnerability in the Skia component. According to the supplied NVD record, a remote attacker could potentially use a crafted HTML page to perform a sandbox escape.
For Windows users, check and update Chrome now:
  1. Open Chrome.
  2. Select the three-dot menu (⋮).
  3. Select Help > About Google Chrome.
  4. Confirm that the version is 150.0.7871.46 or later.
  5. Select Relaunch if prompted, then return to the About page and verify the version again.
The vulnerability carries a CISA-ADP CVSS 3.1 score of 9.6, while CISA’s SSVC record lists exploitation as none. That combination makes this a high-consequence vulnerability requiring prompt remediation, but it does not establish that attackers are currently exploiting it.

Security graphic highlights Chrome 150.0.7871.46 patching a critical Skia use-after-free vulnerability.A Graphics Bug Becomes a Security-Boundary Problem​

Chrome’s advisory identifies CVE-2026-14419 as a use-after-free vulnerability in Skia. The NVD description says a remote attacker could potentially use a crafted HTML page to perform a sandbox escape in Chrome versions prior to 150.0.7871.46. Chromium assigns the vulnerability its highest security severity: Critical.
The vulnerability is categorized as CWE-416: Use After Free. In general terms, this weakness occurs when software continues to use a reference to memory after the associated object has been freed. The exact conditions and exploitation mechanics of CVE-2026-14419 are not described in the supplied public record.
The disclosure also does not provide a complete exploitation narrative. The linked Chromium issue requires permission, so the public material does not document the triggering conditions, affected code path, proof of concept, or reliability of exploitation.
It would therefore be inaccurate to present CVE-2026-14419 as a publicly documented, one-click compromise technique. It would be equally inaccurate to dismiss it as an ordinary stability bug. The supplied description explicitly identifies a potential sandbox escape resulting from a crafted HTML page.
A sandbox is intended to limit what untrusted browser content can do. A vulnerability that potentially crosses that boundary threatens a protection designed to contain damage from malicious content. That security-boundary consequence—not an unsupported claim about a specific attack chain—is the central reason to prioritize the update.
Assessment fact box
  • Chrome severity: Critical
  • CISA-ADP CVSS 3.1: 9.6, Critical
  • CISA SSVC: Exploitation recorded as none; automatable recorded as no; technical impact recorded as total
  • NVD assessments: NVD’s own CVSS 4.0, CVSS 3.x, and CVSS 2.0 assessments had not yet been provided in the supplied record

The Score Measures Potential Consequence, Not Current Attack Activity​

Several assessment systems appear in the vulnerability record, and they answer different questions. They should not be compressed into a single claim about whether attacks are happening.
AssessmentRecorded resultWhat it establishesWhat it does not establish
Chromium security severityCriticalChrome classifies the vulnerability as highly severeIt does not establish exploitation in the wild
CISA-ADP CVSS 3.19.6, CriticalThe recorded vector describes a remotely reachable vulnerability requiring user interaction and carrying potentially high cross-boundary impactIt is not a prediction that exploitation will occur
CISA SSVCExploitation: none; automatable: no; technical impact: totalThe supplied SSVC record contains those three determinations“None” is not proof that exploitation has never occurred
NVD CVSS assessmentsNot yet providedNVD had not supplied its own CVSS assessments at the recorded stageThe missing NVD assessments do not erase the CISA-ADP score or Chrome’s rating
The distinction between CVSS and SSVC is especially useful. The CISA-ADP CVSS assessment describes characteristics and potential impact that result in a 9.6 Critical score. The SSVC entry separately records exploitation as none, automation as no, and technical impact as total.
Those findings are compatible. A vulnerability can carry severe potential consequences without public evidence of current exploitation. Likewise, the absence of recorded exploitation does not reduce the fixed-version boundary or eliminate the need to patch.
The precise supplied-record wording should be preserved: CISA’s SSVC record lists exploitation as none. That is narrower and more defensible than claiming that exploitation has never occurred. Public records reflect the information available to their contributors; they cannot prove the absence of private, undetected, or undisclosed activity.
Administrators do not need to declare an active attack campaign in order to accelerate remediation. The combination of Chrome’s Critical classification, a 9.6 CISA-ADP score, potential sandbox escape, and a clear fixed-version threshold is sufficient reason to move the update ahead of ordinary maintenance.

Critical Is Not a Synonym for Zero-Day​

Security reporting often blends severity, exploitability, and observed exploitation into a single alarm label. CVE-2026-14419 demonstrates why those concepts should remain separate.
Chrome rates the vulnerability Critical. CISA-ADP gives it a Critical score of 9.6. Neither statement establishes that the flaw was exploited before the fix, that exploit code is publicly available, or that attacks have been observed.
CISA’s SSVC record lists exploitation as none. On the supplied evidence, CVE-2026-14419 should therefore not be described as a confirmed zero-day under active exploitation.
That status does not make the update optional. It changes how the issue should be communicated:
  • Tell users and administrators to update promptly.
  • Explain that the potential impact is severe.
  • Do not claim there is a known attack campaign.
  • Do not claim that exploitation is impossible.
  • Do not turn missing technical detail into an invented exploit narrative.
This approach supports urgency without overstating the public evidence.

The Version Boundary Is Clearer Than the Exploit Story​

The supplied NVD affected-software configuration identifies Google Chrome versions up to, but excluding, 150.0.7871.46. The CVE description likewise identifies Chrome versions prior to 150.0.7871.46 as vulnerable.
That produces a straightforward test:
  • A Chrome version earlier than 150.0.7871.46 falls within the affected range.
  • Chrome 150.0.7871.46 or later has crossed the published fix boundary for CVE-2026-14419.
Users should not stop after opening the About page and seeing that an update is available. Complete the procedure by selecting Relaunch when Chrome requests it, then open Help > About Google Chrome again and verify that the displayed version is at least 150.0.7871.46.
Organizations should apply the same standard to managed devices. A deployment report saying that an update was assigned or delivered is not the same as evidence showing that the installed Chrome version satisfies the required threshold.
The remediation goal is measurable: every in-scope Google Chrome installation should report version 150.0.7871.46 or later.

A Concrete Enterprise Verification Procedure​

The following workflow is intentionally product-agnostic. It can be implemented in Microsoft Intune, Microsoft Configuration Manager, another endpoint-management platform, a vulnerability scanner, or an organization’s existing software-inventory system.
  1. Create a device query for Google Chrome.
    Search the endpoint inventory by the installed-product name and, where supported, by the version metadata associated with the Chrome executable.
  2. Set the compliance condition.
    Mark a device compliant only when its detected Chrome version is 150.0.7871.46 or later. Do not use “update deployed,” “installation successful,” or “policy received” as the final compliance test.
  3. Export the initial affected-device list.
    Record the device name, assigned user, detected Chrome version, last inventory time, and management status. Separate devices below the threshold from devices that have not reported recently.
  4. Deploy or accelerate the approved Chrome update.
    Use the organization’s existing software-deployment mechanism, but target the concrete version condition rather than relying on a general instruction to keep browsers current.
  5. Tell users to relaunch Chrome.
    Provide the exact path: ⋮ > Help > About Google Chrome, followed by Relaunch if prompted.
  6. Run a fresh inventory scan after deployment.
    Query the installed Chrome version again. The verification result must show 150.0.7871.46 or later.
  7. Create an exception report.
    List every device that remains below the threshold, reports no readable version, has not checked in, or failed the deployment. Assign each exception an owner and remediation deadline.
  8. Perform a user-visible spot check.
    On a representative sample of Windows endpoints, open Help > About Google Chrome and compare the displayed version with the management platform’s inventory result. Investigate any discrepancy before declaring the deployment complete.
  9. Recheck special-purpose systems separately.
    Include kiosks, shared workstations, virtual desktops, test machines, and golden images if Google Chrome is installed on them.
  10. Close the task only on version evidence.
    Remediation is complete when the endpoint inventory—and spot checks where required—shows Chrome 150.0.7871.46 or later across the in-scope population.
This procedure supplies an auditable enterprise test without assuming a particular management product. The essential control is a version-based detection rule followed by a fresh inventory cycle.

Record Timeline​

The supplied record shows the vulnerability information developing through several stages, but the available material does not support publishing the previously listed July 2026 dates and timestamps. Those unsupported dates should not be used.
The defensible sequence is:
  1. Chrome submitted the CVE information identifying CVE-2026-14419, the CWE-416 classification, the affected-version boundary, the Chrome release advisory, and the permission-restricted Chromium issue.
  2. CISA-ADP supplied the CVSS 3.1 vector and 9.6 Critical score.
  3. The SSVC record listed exploitation as none, automatable as no, and technical impact as total.
  4. NVD added the Google Chrome affected-software configuration covering versions up to, but excluding, 150.0.7871.46.
  5. NVD’s own CVSS assessments remained unavailable in the supplied record.
The sequence is more important for remediation than unsupported timestamp precision. It shows that the product, weakness class, impact description, contributor score, and fixed-version threshold are available even though NVD had not yet supplied its own CVSS assessments.

Enterprise Risk Lives in the Installed Base​

The operational risk from CVE-2026-14419 depends on how many Chrome installations remain below the fixed-version threshold.
For a small organization, remediation may consist of asking users to follow the About-page update procedure and confirming the resulting version. For a larger organization, the challenge is identifying and correcting every exception across offices, remote devices, update groups, virtual environments, shared systems, and test machines.
Chrome may also be installed outside the organization’s standard software catalog. Developers may use it for compatibility testing, users may install it alongside an approved browser, and support personnel may maintain multiple browsers. A query limited to centrally assigned Chrome packages may therefore undercount the installed population.
An inventory should answer three questions:
  1. Where is Google Chrome installed?
  2. Which detected installations are earlier than 150.0.7871.46?
  3. Which devices lack sufficiently recent inventory information to establish their status?
The third category is important. A stale or missing report should not automatically be counted as compliant. It should become an exception requiring a new check-in, direct verification, or another approved method of determining the installed version.
Organizations can prioritize sensitive endpoints for early verification, but the final objective should remain comprehensive. Every in-scope Chrome installation below the threshold needs an update, and every device with unknown status needs investigation.

Action checklist for Windows administrators​

  • [ ] Inventory Google Chrome across managed Windows endpoints.
  • [ ] Identify every version earlier than 150.0.7871.46.
  • [ ] Mark devices with stale or missing inventory as unknown rather than compliant.
  • [ ] Deploy or accelerate the approved Chrome update.
  • [ ] Instruct users to open ⋮ > Help > About Google Chrome.
  • [ ] Require users to select Relaunch if prompted.
  • [ ] Run a new inventory scan after the update.
  • [ ] Verify that detected versions are 150.0.7871.46 or later.
  • [ ] Spot-check the About page on representative endpoints.
  • [ ] Investigate deployment failures and version discrepancies.
  • [ ] Check kiosks, shared PCs, virtual desktops, test systems, and golden images.
  • [ ] Record temporary exceptions, their owners, and their remediation deadlines.
  • [ ] Close the incident only after version-based verification.
None of these steps depends on an exploit signature or evidence of a specific attack. This is version-based remediation: find Chrome installations below the published boundary, update them, relaunch where prompted, and verify the resulting version.

What the CVSS Vector Says​

The CISA-ADP record supplies the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
Read by component, that assessment records:
  • AV:N — Network attack vector
  • AC:L — Low attack complexity
  • PR:N — No privileges required
  • UI:R — User interaction required
  • S:C — Changed scope
  • C:H — High confidentiality impact
  • I:H — High integrity impact
  • A:H — High availability impact
The vector is consistent with the supplied crafted-HTML scenario: an attacker can act remotely, but user interaction is required. The changed-scope value is also consistent with the description of a potential sandbox escape.
“User interaction required” should be reported accurately without being treated as either irrelevant or a complete defense. The record identifies a crafted HTML page, but it does not describe the exact delivery method or user journey. There is no need to add speculative lists of advertisements, redirects, embedded content, or social-engineering techniques.
Likewise, low attack complexity is a CVSS category, not proof that a reliable exploit is publicly available or easy to build. The supplied record does not provide sufficient technical detail to assess exploit reliability.
The vector supports expedited patching because it combines remote reachability, no required privileges, changed scope, and high recorded impacts. It does not support claims about a currently operational exploit.

NVD’s Missing Score Is Not a Downgrade​

The supplied NVD material states that NVD assessments had not yet been provided under CVSS 4.0, CVSS 3.x, or CVSS 2.0. The 9.6 score displayed in the record comes from CISA-ADP rather than an NVD-owned calculation.
That attribution matters. Vulnerability databases can contain vendor classifications, contributor assessments, and NVD enrichment at the same time. A security product that displays every available number as an “NVD score” can conceal where the assessment originated.
An absent NVD assessment does not contradict the 9.6 CISA-ADP rating or Chrome’s Critical classification. It means only that NVD had not supplied its own CVSS assessment at the stage represented by the supplied record.
Security teams should verify how their tools handle this distinction. If a dashboard marks CVE-2026-14419 as unscored merely because an NVD-owned score is absent, it may fail to surface the available CISA-ADP assessment and Chrome severity.
A missing enrichment field should prompt review rather than an automatic downgrade. For this vulnerability, the available record already provides enough information to establish the affected product, version threshold, weakness class, potential sandbox-escape impact, Chrome severity, CISA-ADP score, and SSVC status.

The Supplied Record Formally Identifies Google Chrome​

The affected-software information supplied for CVE-2026-14419 identifies Google Chrome. It should not be extrapolated into unsupported fixed-version claims for Microsoft Edge, Brave, Vivaldi, Opera, embedded Chromium products, or other software that may use related components.
Administrators can check those products through their respective vendors, but Chrome’s version boundary must not be applied to them. Google Chrome is the only formally affected product in the supplied record.
This distinction matters on Windows systems where multiple browsers may coexist. Updating one browser does not establish the status of another, even when the products share upstream technology.
Track each browser as a separate product. Use its vendor’s own affected-version and fixed-version information before declaring it vulnerable or remediated.

What the Public Disclosure Does—and Does Not—Support​

The public record supports the following statements:
  • CVE-2026-14419 is a use-after-free vulnerability categorized as CWE-416.
  • The affected component is identified as Skia.
  • Google Chrome versions earlier than 150.0.7871.46 are affected.
  • A remote attacker could potentially use a crafted HTML page to perform a sandbox escape.
  • Chrome rates the vulnerability Critical.
  • CISA-ADP assigns a CVSS 3.1 score of 9.6 Critical.
  • CISA’s SSVC record lists exploitation as none.
  • The SSVC record lists automatable as no and technical impact as total.
  • NVD had not supplied its own CVSS assessments in the provided record.
  • The linked Chromium issue requires permission.
The record does not support claims that the vulnerability guarantees arbitrary code execution, produces a complete machine takeover, has been exploited in the wild, or is part of a known attack campaign. It also does not provide enough detail to describe heap-shaping methods, triggering sequences, acceleration paths, cached-resource behavior, updater internals, or a reverse-engineering timeline.
Restricting analysis to the available evidence does not weaken the security message. The supported facts are already serious: a Critical Chrome vulnerability, a potential sandbox escape, a 9.6 contributor score, and a clear version boundary.

Closing the Patch Loop​

The conventional patch workflow should not end when a deployment system reports success. It should end when the organization can demonstrate that affected Google Chrome installations are no longer below 150.0.7871.46.
That requires a short but complete loop:
  1. Discover Chrome installations.
  2. Compare their versions with 150.0.7871.46.
  3. Deploy the approved update.
  4. Tell users to relaunch Chrome when prompted.
  5. Collect fresh version information.
  6. Investigate every failed, stale, or unknown result.
  7. Document completion using version evidence.
Individual Windows users can perform the same verification directly through Chrome menu (⋮) > Help > About Google Chrome. The final displayed version should be 150.0.7871.46 or later.
CISA’s SSVC record lists exploitation as none, and that should prevent unsupported claims of an active zero-day campaign. It should not become a reason to leave a Critical browser vulnerability unpatched.
CVE-2026-14419 presents administrators with an unusually clear remediation target. The complete exploit story is not public, but the defensive action is: update Google Chrome, relaunch it, and verify that every in-scope installation has reached version 150.0.7871.46 or later.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:38:08-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:38:08-07:00
    Original feed URL
  3. Related coverage: security.snyk.io
 

Back
Top