Multiple Zero‑Day Flaws in Google Chrome Enable Arbitrary Code Execution (CVE‑2026‑13774 to CVE‑2026‑13855)
What Happened — The CIS Advisory 2026‑064 details more than a dozen newly disclosed Chrome vulnerabilities, several of which are use‑after‑free or type‑confusion bugs that could let an attacker execute arbitrary code in the context of the logged‑in user. Successful exploitation could install programs, modify or delete data, or create new privileged accounts.
Why It Matters for Compliance & Audit Readiness
- SOC 2 CC6.1 (Logical Access) requires documented controls that prevent unauthorized code execution on user workstations.
- Continuous‑compliance programs must evidence timely patching and privileged‑access monitoring to satisfy the “System Operations” and “Change Management” criteria.
- Verisq’s SOC2 Access Controls capability provides automated patch‑status feeds and privileged‑session logs that serve as audit‑ready evidence of remediation.
Who Is Affected — Enterprises across government, financial services, technology SaaS, and large‑scale business environments that rely on Chrome as the default browser.
Recommended Actions
- Deploy Chrome 150.0.7871.46 (or later) across all endpoints immediately.
- Enforce least‑privilege configurations; avoid running browsers with local admin rights.
- Integrate patch‑status telemetry into your SOC 2 evidence collection pipeline.
- Monitor for anomalous process creation or credential‑creation events post‑patch.
Source: CIS Advisory 2026‑064
Technical Notes
- CVE‑2026‑13774 – Use‑after‑free in Extensions (initial‑access, drive‑by compromise).
- CVE‑2026‑13775 – Use‑after‑free in GPU; CVE‑2026‑13776 – Type confusion in Dawn; several others affect WebUSB, Chromoting, ANGLE, Skia, Bluetooth, Ozone, etc.
- No public exploitation reports yet; risk rating remains High for privileged users.
Source: CIS Advisory 2026‑064