External risk intelligence

Google Chrome Sandbox Escape via Malicious HTML Page

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-14104

The vulnerability requires a user to visit a crafted web page using the browser. As a client-side application, Chrome is not deployed as a public-facing service or internet-accessible gateway. Exposure is entirely dependent on user action rather than the product being hosted on the internet for unsolicited external access.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in Google Chrome that could allow a remote attacker to execute arbitrary code by tricking a user into visiting a specially crafted webpage. While the technical severity is high, the actual risk to the organization is considered very unlikely because exploitation depends on user interaction and Chrome is not typically a publicly exposed service.

  • Attackers can run code via malicious web pages.
  • Low exposure risk requires user interaction.
  • Confirm relevance and user exposure.

Attack Path

How an attacker could exploit the issue

An attacker could trick a user into visiting a malicious webpage that exploits a flaw in how Chrome handles web app installations. This flaw allows the attacker to run their own code within the browser's secure sandbox, potentially leading to broader system compromise.

  • Entry condition: User visits a malicious webpage.
  • Trigger point: Insufficient input validation in WebAppInstalls.
  • Resulting risk: Arbitrary code execution within sandbox.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact users when they visit a malicious website using a vulnerable version of Google Chrome. An attacker could potentially execute arbitrary code within the browser's sandbox.

  • Browser sandbox integrity could be compromised.
  • Via a crafted HTML page on a malicious website.
  • Potential for unauthorized code execution within the browser.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Google Chrome's WebAppInstalls feature requires a user to interact with a malicious HTML page to be exploited, making it a client-side concern rather than a direct infrastructure threat. The primary responsibility for managing this risk typically falls to teams that oversee end-user computing environments, such as desktop support or endpoint management, in coordination with security operations for broader exposure assessment. The first practical step involves identifying endpoints using the affected browser version, assessing the risk based on user behavior and potential for malicious site visitation, and then planning for coordinated updates, likely during scheduled maintenance windows.

  • Own by endpoint management and security teams.
  • Verify affected Chrome versions and user exposure.
  • Plan staged browser updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Google Chrome in the context of CVE-2026-14104?

Google Chrome is a widely used web browser that renders HTML content and manages web applications. The specific component involved here, WebAppInstalls, handles the process of installing and managing web-based applications directly within the browser environment. This vulnerability affects how that component processes external data.

What does insufficient input validation mean for this CVE?

This refers to CWE-20, a weakness where a program fails to properly verify or sanitize data received from an outside source. In this case, Chrome’s WebAppInstalls feature incorrectly handles inputs from a crafted HTML page. Because the browser trusts this malicious data, it may inadvertently execute unauthorized code within its secure sandbox.

How is this vulnerability triggered?

An attacker triggers this by enticing a user to navigate to a specifically crafted HTML page using a vulnerable version of Chrome. Simply having the browser installed or running in the background does not trigger the bug; the active interaction—the user actually visiting the malicious site—is the necessary prerequisite for the code execution flaw to occur.

Do I need to worry about this if Chrome isn't a public server?

According to Halo Surface Signal, this risk is very unlikely for infrastructure because Chrome is a client-side application, not a public-facing internet gateway. You should focus on endpoints where users browse the web, as the risk is entirely dependent on user behavior rather than the browser being directly reachable by attackers over the internet.

How do I respond to CVE-2026-14104?

The primary response is to update Google Chrome to version 150.0.7871.47 or later. Since this is an endpoint-focused issue, teams responsible for device management should identify machines running older versions and schedule them for browser updates to ensure users are protected against malicious web content.

References