Cyber Resilience

CVE-2026-14041

High

Published: 30 June 2026

Published
30 June 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0025 16.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-14041 is a high-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Direct match to exploitation enabling privilege escalation in browser via crafted page (T1068); also facilitates client-side code execution (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-13903Same product: Google Chrome
CVE-2026-14036Same product: Google Chrome
CVE-2026-14086Same product: Google Chrome
CVE-2023-0704Same product: Google Chrome
CVE-2026-8580Same product: Google Chrome
CVE-2026-9904Same product: Google Chrome
CVE-2026-11061Same product: Google Chrome
CVE-2026-13901Same product: Google Chrome
CVE-2026-10966Same product: Google Chrome
CVE-2022-3308Same product: Google Chrome

Affected Assets

google
chrome
≤ 150.0.7871.47

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References