CVE-2026-14432 Fixed in Chrome 150.0.7871.46: Update Now

Answer first
  • Affected: Google Chrome versions earlier than 150.0.7871.46
  • Fixed: Google Chrome 150.0.7871.46 or later
  • Impact: Crafted HTML can trigger a V8 use-after-free condition and execute arbitrary code inside the Chrome sandbox
  • CISA-ADP SSVC exploitation value: none in the supplied assessment record; this is a record field, not a live claim about current activity
  • Action: Update Chrome, relaunch it, and verify the full product version, not merely “Chrome 150”

Chrome update screen highlights a use-after-free vulnerability and sandbox protection.Update and Verify Chrome on Windows Now​

On a Windows PC:
  1. Open Google Chrome.
  2. Enter chrome://settings/help in the address bar and press Enter. You can also select Menu ⋮ > Help > About Google Chrome.
  3. Let Chrome finish checking for an update.
  4. Confirm that the complete version shown is 150.0.7871.46 or later.
  5. If Chrome offers Relaunch, select it. Otherwise, fully close Chrome and reopen it.
  6. Return to chrome://settings/help and verify the full version again.
A result that says only Chrome 150 is not precise enough. The documented remediation boundary includes all four version components: 150.0.7871.46. Any lower version remains within the affected range described in the supplied record.
Google addressed CVE-2026-14432 in Chrome 150.0.7871.46. The record describes a V8 use-after-free flaw affecting earlier Chrome versions that could allow a remote attacker to execute arbitrary code inside the browser sandbox through crafted HTML.
The available evidence does not describe CVE-2026-14432 as a Chrome sandbox escape, a Windows privilege-escalation vulnerability, or a confirmed actively exploited zero-day. Those limits should remain clear. They do not, however, change the direct remediation answer: Chrome versions earlier than 150.0.7871.46 should be updated across that boundary and then verified.

A Medium Chrome Bug Can Still Carry an 8.8 High Score​

CVE-2026-14432 is categorized as CWE-416, Use After Free, in V8. The supplied Chrome description states that crafted HTML can lead to arbitrary code execution inside the sandbox on affected installations.
Chromium assigns the issue a security severity of Medium. A contributed CISA-ADP CVSS 3.1 assessment assigns it a base score of 8.8, corresponding to High severity. These labels should not be flattened into a single supposedly definitive rating because they come from different assessment systems.
The evidence supports reporting the labels and their authors. It does not support speculation about every factor considered by Chromium’s internal severity process.
AssessmentRecorded valueWhat the supplied evidence supports
Chromium security severityMediumThe vendor’s recorded severity label for the issue
CISA-ADP CVSS 3.18.8 HighA contributed standardized score based on the recorded vector
CISA-ADP SSVC exploitationnoneThe exact exploitation field value in the supplied assessment record
CISA-ADP SSVC automatablenoThe exact automation field value in the supplied assessment record
CISA-ADP SSVC technical impacttotalThe exact technical-impact field value in the supplied assessment record
Remediation boundary150.0.7871.46Earlier versions are affected; this version and later versions are outside the documented affected range
The CISA-ADP vector records AV:N/AC:L/PR:N/UI:R with C:H/I:H/A:H. In practical terms, the assessment models network reachability, low attack complexity, no required prior privileges, required user interaction, and High potential impact to confidentiality, integrity, and availability. That combination supports the contributed 8.8 High rating.
User interaction matters, but the supplied evidence does not establish the exact sequence of actions needed beyond exposure to crafted HTML. It therefore would be inappropriate to claim either that a passive page view necessarily completes exploitation or that a complicated set of gestures is required.
The cleanest evidence-bound explanation is this: the CISA-ADP assessment requires user interaction, while the Chrome description identifies crafted HTML as the attacker-controlled input.

Severity, Exploitation Status, and Remediation Answer Different Questions​

The most useful feature of this CVE record is the separation among four different kinds of information:
  1. Chromium’s vendor severity label: Medium.
  2. CISA-ADP’s contributed CVSS rating: 8.8 High.
  3. CISA-ADP’s SSVC fields: exploitation none, automatable no, and technical impact total.
  4. The affected-version boundary: Chrome versions earlier than 150.0.7871.46.
These values are related, but they are not interchangeable.
A severity label expresses an assessment of the vulnerability. A CVSS vector models defined exploit conditions and potential consequences. An SSVC field captures a separate decision-oriented classification in a particular assessment record. The fixed-version boundary identifies what administrators can directly remediate and verify.
The SSVC value “exploitation: none” must be reported carefully. It is the exact CISA-ADP field value in the supplied record, associated with that record’s July 2026 assessment activity. It should not be rewritten as a broad claim that exploitation is impossible, that no attempt has ever occurred, or that no exploitation has occurred since the record was produced.
Likewise, “automatable: no” should remain an attribution to CISA-ADP rather than becoming an unsupported claim that exploitation cannot be scaled under any circumstances.
The “technical impact: total” field should also remain in context. It is an SSVC assessment value, not proof that a complete Windows endpoint takeover has occurred or that the documented vulnerability independently escapes Chrome’s sandbox.
Taken together, the fields describe high potential consequences under the CISA-ADP scoring model while preserving the assessment record’s exploitation value of none. Neither side should be omitted merely to make the risk sound more or less dramatic.

What “Inside the Sandbox” Establishes—and What It Does Not​

The Chrome description limits the documented code execution to inside the sandbox. That boundary is important.
The supplied facts do not establish that CVE-2026-14432 independently:
  • Escapes the Chrome sandbox
  • Obtains Windows administrator or SYSTEM privileges
  • Executes code outside Chrome’s documented sandboxed context
  • Establishes persistence
  • Steals credentials or files
  • Forms part of a known multi-vulnerability exploit chain
  • Has been used in an identified campaign
Reporting should therefore avoid describing the flaw as a complete remote takeover of a Windows computer. That would go beyond the available record.
At the same time, “inside the sandbox” is not equivalent to “no security impact.” The record explicitly describes arbitrary code execution, and the CISA-ADP vector assigns High impact values to confidentiality, integrity, and availability. Those are the supported reasons to prioritize the update; broader theories about post-exploitation behavior are unnecessary.
The public Chromium issue is permission-restricted. That fact establishes only that the underlying issue cannot be fully reviewed from the supplied public material. It does not, by itself, establish Google’s rationale for restricting access or prove a particular disclosure policy. Administrators should not fill that information gap with invented exploit details, indicators, mitigations, or detection logic.
The fixed-version boundary remains the most concrete defensive fact available.

Chrome 150 Is Not a Sufficient Compliance Result​

Google Chrome 150.0.7871.46 is the relevant fixed baseline in the supplied CVE information. The affected range is expressed as versions earlier than that build.
This precision matters because a major-version-only inventory result cannot distinguish among builds on opposite sides of the boundary. The following examples illustrate the required comparison:
Reported versionStatus under the documented boundary
149.xAffected
150.0.7871.45Affected
150.0.7871.46Fixed baseline
Any version later than 150.0.7871.46Outside the documented affected range
“Chrome 150” with no complete build numberInsufficient evidence to determine status
Administrators should compare versions component by component rather than searching inventory data for the text “150.” A record that captures only the major version is not adequate for this CVE.
For an individual user, the About Chrome procedure provides a direct verification path. For an enterprise, the evidence supports a narrower and more concrete requirement: obtain the full product version from each in-scope Chrome installation and compare it with 150.0.7871.46.
The supplied evidence establishes that version threshold. It does not establish the behavior of a particular Chrome management policy, update service, deployment platform, endpoint inventory agent, or process-monitoring product. Organizations must validate those capabilities in their own environments instead of treating them as facts derived from this CVE record.

Enterprise Verification and Remediation Path​

A defensible enterprise workflow can be built without making assumptions about Chrome’s update mechanics or a specific management product.

1. Define the required inventory field​

The inventory source must capture the complete Google Chrome product version in a form comparable with:
150.0.7871.46
A field containing only a product name, release channel, package date, or major version is insufficient.
Administrators should also ensure that the record identifies the endpoint and the discovered Chrome installation. If the organization’s inventory tooling can report multiple installations, each discovered Chrome instance should receive its own version result rather than being collapsed into a single major-version label.

2. Classify the result​

Use a simple rule:
  • Earlier than 150.0.7871.46: vulnerable under the supplied affected-version range
  • 150.0.7871.46 or later: meets the documented fixed-version boundary
  • Missing, partial, or stale version: unknown and requiring direct verification
Do not count “Chrome 150” as remediated. Do not infer compliance from the presence of an update job, a deployment success message, or a package name unless the organization has independently validated that the result represents the complete installed version.

3. Remediate affected and unknown devices​

Use the organization’s approved Chrome servicing or software-deployment method to move affected devices to 150.0.7871.46 or later.
Where an automated method is unavailable or its result cannot be verified, instruct the user or support technician to:
  1. Open Chrome.
  2. Navigate to chrome://settings/help.
  3. Let update checking finish.
  4. Select Relaunch if offered, or fully close and reopen Chrome.
  5. Reopen chrome://settings/help.
  6. Confirm the complete version is 150.0.7871.46 or later.
This procedure verifies the outcome that matters without presuming how the update was delivered.

4. Recollect the version​

After remediation, collect the full product version again. A successful deployment action is not the same as a verified compliant version.
The closure evidence for the vulnerability ticket should include:
  • Endpoint identity
  • Full Chrome product version
  • Verification time
  • Result of the threshold comparison
  • Exception status, if the version could not be obtained or remediated

5. Investigate exceptions​

Devices should remain open for remediation if they:
  • Report a version earlier than 150.0.7871.46
  • Report only “150” or another partial value
  • Have no recent Chrome inventory
  • Return conflicting product versions
  • Cannot complete the manual About Chrome verification
  • Cannot be reached through the normal management workflow
This is an operational control designed around the documented version boundary. It is not a claim that the supplied CVE evidence proves specific policy behavior, update-service behavior, installation-scope differences, or process-reporting capabilities.

Admin checklist​

  • [ ] Ensure inventory captures the full Chrome product version
  • [ ] Flag every version earlier than 150.0.7871.46
  • [ ] Treat partial or missing versions as unknown, not compliant
  • [ ] Deploy an approved version at or above the fixed boundary
  • [ ] Have users select Relaunch when offered, or fully close and reopen Chrome
  • [ ] Recheck chrome://settings/help where direct validation is needed
  • [ ] Recollect the complete version after remediation
  • [ ] Retain endpoint, version, and verification-time evidence
  • [ ] Investigate conflicting, stale, missing, or incomplete inventory
  • [ ] Monitor later vendor and government record changes without assuming the original SSVC exploitation value remains current forever

Record Timeline​

The supplied record supports a sequence of disclosure and enrichment activity, but the article does not need unsupported release-calendar claims to explain the risk.
Chrome CVE submission — Chrome supplied the central vulnerability description: a V8 use-after-free issue affecting versions earlier than 150.0.7871.46, reachable through crafted HTML, with arbitrary code execution documented inside the sandbox.
CISA-ADP enrichment — CISA-ADP supplied the contributed CVSS 3.1 vector and 8.8 High rating. Its SSVC record lists exploitation as none, automatable as no, and technical impact as total.
NIST analysis — NIST associated the vulnerability with the affected Chrome product range and the available Chrome and Chromium references. The supplied material does not show an independent NVD CVSS score for the issue.
Later record activity — The supplied history includes subsequent assessment-record activity. A timestamp change should not be described as a substantive change in exploitation, automation, or technical-impact values unless the underlying fields also changed.
This timeline deliberately omits claims about an early-stable rollout, a limited deployment percentage, a stable-channel promotion date, operating-system scope, or a rollout lasting “days and weeks.” Those details are not necessary to identify the vulnerable range or complete remediation, and they are not established by the supplied excerpt.

The Public Record Is Enough for Triage, Not Exploit Reconstruction​

The available material provides a sufficient minimum set of facts for vulnerability management:
  • The vulnerable component is identified as V8.
  • The weakness is classified as CWE-416, Use After Free.
  • Crafted HTML is the documented attacker-controlled input.
  • User interaction is required in the contributed CVSS vector.
  • Arbitrary code execution is documented inside the sandbox.
  • Versions earlier than 150.0.7871.46 are affected.
  • Version 150.0.7871.46 establishes the fixed boundary.
  • Chromium assigns Medium severity.
  • CISA-ADP assigns a contributed 8.8 High score.
  • CISA-ADP’s supplied SSVC record lists exploitation as none, automatable as no, and technical impact as total.
The material does not provide enough information to reconstruct the trigger, describe the affected object’s exact lifetime, develop a CVE-specific detector, or claim that a particular JavaScript pattern identifies exploitation.
It also does not support a list of specific delivery routes. The defensible delivery statement is limited to the record: the vulnerability can be reached through crafted HTML and the CISA-ADP vector requires user interaction. Claims about phishing, malicious advertising, compromised websites, search manipulation, messaging platforms, or trusted accounts would require additional sourcing.
Similarly, this CVE record does not establish how endpoint detection and response, web filtering, script controls, browser isolation, application control, or other security products would alter exposure. Those controls may be evaluated as part of an organization’s broader security architecture, but they should not be advertised as confirmed CVE-2026-14432 mitigations based solely on the supplied facts.
For this issue, version verification is more reliable than speculative detection guidance.

Risk Communications Should Preserve Every Boundary​

The strongest concise description supported by the record is:
CVE-2026-14432 is a V8 use-after-free vulnerability affecting Chrome versions earlier than 150.0.7871.46. Crafted HTML can lead to arbitrary code execution inside the Chrome sandbox, with user interaction required under the contributed CISA-ADP CVSS assessment.
That wording is serious but constrained.
Calling the issue a confirmed zero-day would exceed the evidence. Calling it a Windows takeover would exceed the documented sandbox boundary. Calling it harmless because Chromium rates it Medium would omit the contributed 8.8 High assessment and its High confidentiality, integrity, and availability impact values.
The CISA-ADP SSVC field “exploitation: none” should be quoted as a field value from the supplied July 2026 record. It should not be converted into an evergreen statement that no exploitation has been identified at the present moment. Exploitation status is time-sensitive and can change after a record is published.
A suitable message to users is direct:
Google Chrome versions earlier than 150.0.7871.46 are affected by a security vulnerability. Open chrome://settings/help, allow the update check to finish, relaunch or fully reopen Chrome, and verify that the complete version is 150.0.7871.46 or later.
A suitable message to administrators is equally direct:
Inventory the complete Chrome product version, remediate every result below 150.0.7871.46, treat partial results as unknown, and recollect the version before closing the vulnerability ticket.
Neither message depends on unsupported theories about exploit chains, delivery campaigns, browser-update internals, or the capabilities of a particular management or security product.

The Version Threshold, Not a Single Label, Should Drive the Response​

CVE-2026-14432 demonstrates why browser vulnerability management should not stop at one severity word.
Chromium’s Medium label is the vendor severity. CISA-ADP’s 8.8 High value is a contributed CVSS 3.1 assessment supported by a vector containing AV:N, AC:L, PR:N, UI:R, and High impact values for confidentiality, integrity, and availability. The SSVC values add a separate assessment layer: exploitation none, automatable no, and technical impact total. The version range supplies the actionable remediation boundary.
The evidence-bound conclusions are:
  • Chrome versions earlier than 150.0.7871.46 are affected.
  • Chrome 150.0.7871.46 or later meets the documented fixed-version boundary.
  • The issue is a CWE-416 use-after-free vulnerability in V8.
  • Crafted HTML can result in arbitrary code execution inside the Chrome sandbox.
  • The contributed CISA-ADP CVSS 3.1 score is 8.8 High.
  • The CISA-ADP vector requires user interaction.
  • The supplied CISA-ADP SSVC record lists exploitation: none, but that value must remain tied to the record and its timestamp.
  • The supplied facts do not establish a sandbox escape, Windows privilege escalation, active campaign, specific delivery route, or product-specific mitigation.
  • Enterprise compliance requires the full product version, not merely the major version.
  • Remediation should be closed only after the installed version is verified at or above the threshold.
The immediate response is therefore uncomplicated: open chrome://settings/help, finish the update check, verify 150.0.7871.46 or later, and relaunch or fully reopen Chrome. Enterprises should perform the same comparison at fleet scale using complete version data and retain evidence of the final result.
If later records change the exploitation status or disclose additional technical details, administrators can reassess priority and detection needs from those new facts. Until then, the strongest response is also the most measurable one: cross the fixed-version boundary, verify the complete version, and avoid turning gaps in the public record into unsupported security claims.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:38:19-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:38:19-07:00
    Original feed URL
  3. Related coverage: security.snyk.io
 

Back
Top