CVE-2026-14101
Published: 30 June 2026
Summary
CVE-2026-14101 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40788
Vulnerability details
Insufficient policy enforcement in Sandbox in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape after renderer compromise directly enables exploitation for privilege escalation (T1068).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
The control mandates review of privilege assignments to ensure they are appropriate and minimal.
Reviewing changes for security impacts prevents introduction of improper privilege assignments or escalations.
Baseline tailoring enforces organization-specific privilege-management decisions rather than accepting generic high-water-mark settings.
The documented concept of operations forces organizations to specify how privileges will be assigned, used, and reviewed, directly limiting improper privilege management in day-to-day operations.
Centralized privilege assignment and oversight prevent ad-hoc or excessive privilege grants that occur when each system is configured independently.
Dedicated senior leadership with resources directly enables consistent organization-wide privilege management and enforcement of least privilege.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248524 OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-693
- V-248525 All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. via CWE-693
Windows 10 (3 rules)
- V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
- V-220865 The Windows Remote Management (WinRM) service must not use Basic authentication. via CWE-693
- V-220812 Credential Guard must be running on Windows 10 domain-joined systems. via CWE-693
Windows 11 (2 rules)
- V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
- V-253418 The Windows Remote Management (WinRM) service must not use Basic authentication. via CWE-693
Windows Server 2016 (2 rules)
- V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
- V-225012 Windows Server 2016 must be running Credential Guard on domain-joined member servers. via CWE-693
Windows Server 2019 (2 rules)
- V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
- V-205907 Windows Server 2019 must be running Credential Guard on domain-joined member servers. via CWE-693
Windows Server 2022 (2 rules)
- V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
- V-254441 Windows Server 2022 must be running Credential Guard on domain-joined member servers. via CWE-693