CVE-2026-14426: Update Chrome to 150.0.7871.46 or Later

Google Chrome installations below 150.0.7871.46 fall within the documented affected range for CVE-2026-14426, a high-severity V8 use-after-free vulnerability that can permit arbitrary code execution inside the browser sandbox after specific user-interface gestures on crafted HTML.
What changed: CVE-2026-14426 documents a use-after-free vulnerability affecting V8 in Google Chrome.
Who is affected: Google Chrome installations reporting a complete version lower than 150.0.7871.46.
What to do now: Update affected installations through the approved update mechanism, fully relaunch the browser, and verify that the running version is no longer below 150.0.7871.46.
For an individual installation, save active work, apply the available Chrome update through the organization’s approved method, and fully relaunch the browser. Then inspect the complete version reported by the newly started browser and confirm that it is 150.0.7871.46 or later.
Version 150.0.7871.46 is the documented exclusion boundary for the affected range. That does not necessarily make it the first generally available corrected build on every operating system, release channel, or deployment path. Organizations should install the current vendor-supported update available to them rather than treating the boundary as a permanent version target.

Cybersecurity graphic showing a Chrome vulnerability warning and Windows dashboard updating endpoints to a secure version.Chrome 150 Draws a Security Line at Version 150.0.7871.46​

The vulnerability record identifies Google Chrome versions below 150.0.7871.46 as affected by CVE-2026-14426. That four-part version boundary is more useful to administrators than the major-version label alone: an inventory entry that reports only Chrome 150 does not establish whether the installation is inside or outside the recorded affected range.
The practical comparison must use all four components:
  • A version lower than 150.0.7871.46 is within the documented affected range.
  • Version 150.0.7871.46 is excluded from that affected range.
  • A later version is also outside the affected range documented by this record.
Version numbers should be compared component by component, not as ordinary decimal values or unstructured text. Compare 150, then 0, then 7871, and finally 46. If an earlier component is lower, the complete installed version is lower regardless of later components.
Chrome stateCVE-2026-14426 statusOperational interpretationRequired response
Earlier than 150.0.7871.46AffectedThe installation falls within the documented Google Chrome affected rangeUpdate, relaunch, and verify the complete running version
150.0.7871.46Excluded from the affected rangeThe version meets the documented exclusion boundaryConfirm that this is the running version and retain the result
Later than 150.0.7871.46Outside the documented affected rangeThe reported version is beyond the recorded boundaryRetain version evidence and continue normal update management
“Chrome 150” with no remaining componentsIndeterminateThe major-version label cannot prove remediationCollect the complete four-part version
The final row is especially important for Windows fleet reporting. A dashboard that groups endpoints under “Chrome 150” may conceal both affected and unaffected builds. Compliance logic should use the full version string rather than a marketing label, major version, deployment policy, or presumed update status.

This Is a Remote Attack, but Not an Interaction-Free Compromise​

The vulnerability description contains three conditions that should be read together. An attacker must provide crafted HTML, the target must perform specific user-interface gestures, and exploitation must successfully trigger the documented use-after-free condition.
The CISA-ADP CVSS 3.1 vector records:
  • Attack vector: Network
  • Attack complexity: High
  • Privileges required: None
  • User interaction: Required
  • Scope: Unchanged
  • Confidentiality impact: High
  • Integrity impact: High
  • Availability impact: High
The attack can therefore begin with remotely supplied content and does not require the attacker to hold an existing account or privilege on the target. Successful exploitation is not described as automatic, however. It depends on user interaction and conditions reflected in the high attack-complexity rating.
The public description does not identify the required gestures. It does not say whether the prerequisite is a click, selection, drag, focus change, keyboard action, or another form of interaction. Security notices should retain the record’s general language rather than inventing a more specific trigger.
The interaction requirement may influence prioritization, but it is not a reason to postpone remediation. Users routinely interact with unfamiliar web interfaces, follow page instructions, and respond to prompts. Required interaction narrows the path to exploitation without eliminating the risk.
Similarly, no particular delivery method is established. Crafted HTML could be hosted or supplied in more than one way, but the record does not identify an advertising campaign, email operation, compromised website, messaging lure, or other active distribution mechanism. Those scenarios require separate evidence.

The Documented Technical Outcome Is Sandboxed Code Execution​

CVE-2026-14426 is classified as CWE-416, Use After Free. This weakness class concerns software continuing to use memory after the associated object has been released. The stale reference can point to memory that is no longer valid for its original purpose.
The consequences of a use-after-free defect vary by implementation and execution conditions. In this case, the vulnerability description states that a remote attacker could potentially execute arbitrary code inside the browser sandbox after the required user-interface gestures on crafted HTML.
That is the appropriate technical outcome to use in alerts, scanner annotations, executive summaries, and remediation tickets. It is more serious than a browser crash, but it is not a documented claim of unrestricted code execution on the underlying Windows system.
No public exploit sequence is provided in the available record. There is no need to fill that gap with speculation about object replacement, memory layout, allocation behavior, compiler decisions, or other implementation details. The disclosed consequence and affected-version boundary are sufficient to support prompt patching.
The high attack-complexity rating indicates that successful exploitation depends on conditions beyond merely reaching an affected browser. It does not reduce the documented impact to instability or denial of service. The useful risk statement is that CVE-2026-14426 combines a more demanding attack path with a potentially serious result inside the affected browser security context.

The Sandbox Qualification Must Remain in the Headline Risk Statement​

The vulnerability description explicitly places arbitrary code execution inside the browser sandbox. It does not describe CVE-2026-14426 as a standalone sandbox escape, privilege-escalation vulnerability, or complete compromise of the host operating system.
Security teams should preserve that distinction. The record does not state that this CVE alone grants system-level privileges, unrestricted access to local files, operating-system credential theft, persistence, or administrative control of the endpoint.
Browser vulnerabilities can sometimes appear in multi-stage attack chains, but no companion vulnerability or documented chain is identified here. A general possibility should not be converted into a report that this specific CVE automatically escapes the sandbox.
At the same time, the sandbox qualification should not be used to dismiss the vulnerability. Attacker-directed code execution within the documented context is a serious security event. The proportionate response is to state the boundary accurately and remove affected browser versions promptly.

A 7.5 Score Requires Reading the Vector, Not Just the Number​

CISA-ADP assigned CVE-2026-14426 a CVSS 3.1 base score of 7.5 HIGH. Internal reports should preserve that attribution rather than presenting the value as an independent NIST assessment.
The vector provides more decision value than the score alone. Network reachability and the absence of a privilege requirement increase concern. Required user interaction and high attack complexity narrow the path to exploitation. Confidentiality, integrity, and availability impacts are each recorded as high.
CVSS describes vulnerability characteristics. It does not determine whether public exploit code exists, whether attacks are underway, which organizations might be targeted, or how quickly exploitation conditions may change. Threat activity and endpoint exposure must be assessed separately.
CISA’s SSVC information records the following fields:
SSVC fieldRecorded value
ExploitationNone
AutomatableNo
Technical impactTotal
These values should be reported as recorded. In particular, the technical impact: total value should not be expanded into an unsupported explanation of what “total” means in this specific browser or sandbox context.
The exploitation: none field is a recorded assessment, not a permanent warranty. It supports the narrower statement that the supplied SSVC information did not record exploitation at the time represented by the assessment. It should not be rewritten as a claim that Google independently confirmed that no attacks had occurred.
Likewise, automatable: no should remain an SSVC field rather than being treated as proof that exploitation could never be delivered at scale. Exposure, interaction, exploitation reliability, and automation are related but distinct questions.

Evidence Boundary​

The available record supports the following conclusions:
  • The affected product named in the record is Google Chrome.
  • Versions below 150.0.7871.46 are within the documented affected range.
  • The weakness is identified as a V8 use-after-free and classified as CWE-416.
  • Exploitation involves crafted HTML and specific user-interface gestures.
  • The potential result is arbitrary code execution inside the browser sandbox.
  • CISA-ADP assigned a CVSS 3.1 score of 7.5 HIGH.
  • The CVSS vector records network access, high complexity, no required privileges, required user interaction, unchanged scope, and high confidentiality, integrity, and availability impacts.
  • The SSVC fields record exploitation as none, automatable as no, and technical impact as total.
  • The linked issue requires permission to access.
The record does not provide the exact user-interface gestures, a public exploit procedure, a documented sandbox escape, a companion vulnerability chain, a Chrome release calendar, or platform-by-platform deployment details. It also does not define affected-version boundaries for Microsoft Edge or other browsers.
This evidence boundary replaces the need to repeat qualifications throughout every operational section. Where additional vendor information becomes available, administrators can add it to their assessment without weakening the conclusions already supported by the CVE record.

Record Timeline​

The record history shows a sequence of vulnerability-data events:
  1. The Chrome submission supplied the vulnerability description, affected-version information, weakness classification, and references.
  2. CISA-ADP contributed the CVSS 3.1 assessment and SSVC fields.
  3. NVD analysis added the Google Chrome affected-product configuration and reference classifications.
  4. The SSVC information was later modified.
These are record-maintenance milestones, not Chrome release milestones. Unconfirmed calendar dates have been omitted. None of these events should be interpreted as proving when a particular Chrome build became available on every platform or channel.
The sequence also illustrates why endpoint remediation should not depend solely on record publication timing. Vulnerability metadata may be enriched or modified after the initial submission. The operational test remains whether an installed Google Chrome version is below the documented boundary.

Restricted Bug Details Limit Defender Insight​

The issue reference associated with CVE-2026-14426 is marked Permissions Required. That establishes that the linked issue is not publicly accessible through the supplied reference.
The restriction leaves defenders without a public technical account of the precise code path or triggering interface sequence. It does not, by itself, prove why access is restricted or when additional details may become public.
Administrators still have enough information to take effective action: the affected product, exact affected-range boundary, weakness classification, interaction requirement, potential outcome, CVSS assessment, and SSVC fields are available.
The lack of public bug detail also limits CVE-specific detection claims. The record does not provide a supported JavaScript function, document structure, URL pattern, crash signature, event sequence, or gesture that can serve as a definitive exploitation indicator.
General endpoint, browser, network, and crash telemetry may remain useful during an investigation, but an event should not be labeled as attempted exploitation of CVE-2026-14426 solely because it occurred on a computer running an affected Chrome version. Version remediation is the most direct control established by the available information.

Windows Admins Need Version Evidence, Not Policy Intent​

A configured update policy is not the same as a completed update. A successful deployment command is not the same as a corrected running browser. Windows administrators need endpoint evidence collected after the browser has restarted.
The strongest fleet workflow has four stages:
  1. Pre-update inventory: Collect the complete four-part Google Chrome version from every managed endpoint.
  2. Targeted remediation: Identify installations below 150.0.7871.46 and deploy the organization’s approved current Chrome update.
  3. Restart completion: Require a full browser relaunch or endpoint restart under the organization’s change and user-notification policies.
  4. Post-relaunch verification: Collect the complete Chrome version again and keep the endpoint open in the remediation queue until the running or authoritative post-restart inventory is no longer below 150.0.7871.46.
A practical administrative checklist follows.

Managed-Fleet Checklist​

  • [ ] Query all managed Windows endpoints for the complete Chrome version.
  • [ ] Reject inventory values that contain only the major version, such as “150.”
  • [ ] Compare all four version components against 150.0.7871.46.
  • [ ] Place lower versions in a dedicated remediation group.
  • [ ] Deploy the current approved vendor-supported Chrome update.
  • [ ] Record whether deployment was successful, failed, deferred, or not reported.
  • [ ] Arrange a browser relaunch or endpoint restart.
  • [ ] Run a new inventory after that restart event.
  • [ ] Confirm that the post-restart version is not below 150.0.7871.46.
  • [ ] Investigate endpoints that fail to return new inventory.
  • [ ] Investigate endpoints that continue to report the affected version.
  • [ ] Record approved exceptions with an owner, reason, compensating controls, and expiration date.
  • [ ] Retain pre-update and post-update evidence for audit and incident-response use.
  • [ ] Continue deploying later supported Chrome security updates rather than pinning systems to the boundary version.
The evidence retained for each endpoint should ideally include:
Evidence fieldPurpose
Device identifierConnects the result to a specific managed endpoint
Pre-update four-part versionProves whether the endpoint was initially affected
Update deployment resultRecords the management action taken
Relaunch or restart statusShows whether the running browser could have changed
Post-restart four-part versionProvides the strongest closure evidence
Verification timeEstablishes when the result was collected
Exception statusIdentifies systems that remain exposed with authorization
Exception owner and expirationPrevents temporary deferrals from becoming permanent
Post-relaunch verification is the differentiating control. Without it, administrators may close tickets based only on policy intent, package delivery, or an update command that did not replace the browser instance still in use.
Endpoints that do not return post-restart data should not automatically be counted as remediated. “No data” is an evidence gap, not a passing result. Those systems may be offline, unmanaged, unable to update, or still running the affected build.

Exception Evidence​

Compatibility requirements or operational constraints may prevent immediate updating on a limited number of systems. Each exception should include:
  • The affected endpoint and complete installed version
  • The business application or dependency blocking the update
  • The responsible system and application owners
  • The date the exception was approved
  • A defined expiration or review date
  • Interim exposure-reduction measures
  • The planned test and remediation path
  • A final post-relaunch version result when the exception closes
An exception record should never consist only of “Chrome 150 installed.” That label does not establish whether the endpoint is below or outside the affected range.

Chrome’s CVE Does Not Automatically Describe Every Chromium Browser​

The affected product named in this CVE record is Google Chrome. The supplied product configuration identifies Google Chrome versions below 150.0.7871.46.
That scope does not establish an affected range for Microsoft Edge or any other browser. Chrome’s version boundary should not be copied into another product’s compliance rule without vendor-specific evidence.
This distinction matters on Windows fleets where Chrome and Edge may coexist. An endpoint can satisfy the Chrome check while still requiring a separate browser-security review. Conversely, an Edge version number cannot be compared with Chrome’s 150.0.7871.46 boundary to determine whether Edge is affected or corrected.
Shared technology may provide a reason to investigate another vendor’s status, but it does not manufacture a product-specific version threshold. Each browser should be evaluated against its own vendor’s security and release information.

The Useful Reading Is More Concrete Than the Headline​

CVE-2026-14426 deserves prompt attention because it affects a web-facing browser and can permit arbitrary code execution inside Chrome’s sandbox. Its user-interaction requirement, high attack complexity, and sandbox qualification are important parts of the risk statement, but none eliminates the need to remediate affected installations.
The durable operational conclusions are straightforward:
  • Google Chrome versions below 150.0.7871.46 are within the documented affected range.
  • Version 150.0.7871.46 is the exclusion boundary, not necessarily a universal first corrected release for every platform or channel.
  • Exploitation involves crafted HTML and specific user-interface gestures.
  • The attacker requires no existing privileges.
  • Attack complexity is rated high and user interaction is required.
  • The potential outcome is arbitrary code execution inside the browser sandbox.
  • The record does not document a standalone sandbox escape.
  • CISA’s SSVC fields record exploitation as none, automatable as no, and technical impact as total.
  • The affected product identified by this record is Google Chrome, not every browser that may share related technology.
  • Full four-part version collection is necessary because Chrome 150 alone is insufficient.
  • Deployment success must be followed by a browser relaunch or endpoint restart.
  • The strongest closure evidence is a complete post-relaunch version collected from the endpoint.
  • Systems without post-restart evidence should remain open for investigation or documented exception handling.
The immediate action is to inventory complete Google Chrome versions, remediate every installation below 150.0.7871.46, and verify the version again after Chrome has fully restarted. The longer-term control is just as important: keep collecting four-part versions, preserve exception evidence, and continue moving endpoints to current vendor-supported security releases rather than stopping permanently at the documented boundary.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:38:13-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:38:13-07:00
    Original feed URL
  3. Related coverage: govcert.gov.hk
 

Back
Top