Cyber Resilience

CVE-2026-14101

Critical

Published: 30 June 2026

Published
30 June 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0024 15.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-14101 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficient policy enforcement in Sandbox in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Sandbox escape after renderer compromise directly enables exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

google
chrome
≤ 150.0.7871.47

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-693 CWE-269

Implements a reliable, tamperproof protection mechanism whose completeness can be assured.

addresses: CWE-269 CWE-693

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269 CWE-693

The control mandates review of privilege assignments to ensure they are appropriate and minimal.

addresses: CWE-269 CWE-693

Reviewing changes for security impacts prevents introduction of improper privilege assignments or escalations.

addresses: CWE-269 CWE-693

Baseline tailoring enforces organization-specific privilege-management decisions rather than accepting generic high-water-mark settings.

addresses: CWE-269 CWE-693

The documented concept of operations forces organizations to specify how privileges will be assigned, used, and reviewed, directly limiting improper privilege management in day-to-day operations.

addresses: CWE-269 CWE-693

Centralized privilege assignment and oversight prevent ad-hoc or excessive privilege grants that occur when each system is configured independently.

addresses: CWE-269 CWE-693

Dedicated senior leadership with resources directly enables consistent organization-wide privilege management and enforcement of least privilege.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248524 OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-693
  • V-248525 All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. via CWE-693
Windows 10 (3 rules)
  • V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
  • V-220865 The Windows Remote Management (WinRM) service must not use Basic authentication. via CWE-693
  • V-220812 Credential Guard must be running on Windows 10 domain-joined systems. via CWE-693
Windows 11 (2 rules)
  • V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
  • V-253418 The Windows Remote Management (WinRM) service must not use Basic authentication. via CWE-693
Windows Server 2016 (2 rules)
  • V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
  • V-225012 Windows Server 2016 must be running Credential Guard on domain-joined member servers. via CWE-693
Windows Server 2019 (2 rules)
  • V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
  • V-205907 Windows Server 2019 must be running Credential Guard on domain-joined member servers. via CWE-693
Windows Server 2022 (2 rules)
  • V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
  • V-254441 Windows Server 2022 must be running Credential Guard on domain-joined member servers. via CWE-693

References