CVE-2026-13864 Overview
CVE-2026-13864 is an insufficient policy enforcement vulnerability in the WebHID component of Google Chrome versions prior to 150.0.7871.47. The flaw allows an attacker who convinces a user to install a malicious extension to perform privilege escalation through a crafted Chrome Extension. Google's Chromium project rated the underlying security severity as Medium, while the National Vulnerability Database (NVD) assigns a CVSS 3.1 score of 8.1 (HIGH). The vulnerability is tracked under [CWE-284: Improper Access Control].
Critical Impact
A malicious Chrome extension can bypass WebHID policy controls to escalate privileges, gaining access to human interface devices beyond intended browser sandbox boundaries.
Affected Products
- Google Chrome (Desktop) versions prior to 150.0.7871.47
- Chromium-based browsers incorporating the vulnerable WebHID implementation
- Systems running Chrome extensions with WebHID permission access
Discovery Timeline
- 2026-06-30 - CVE-2026-13864 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-13864
Vulnerability Analysis
The vulnerability resides in Chrome's WebHID API, which provides web content and extensions programmatic access to Human Interface Devices (HID) such as keyboards, gamepads, and specialized peripherals. Insufficient policy enforcement in this subsystem allows a malicious extension to reach device access paths that should be restricted by the browser's permission model.
Because WebHID interacts with hardware devices, a successful bypass provides an attacker with elevated capabilities not normally available to extension code. The Chromium project classified this as a privilege escalation issue reachable through a crafted extension. The confidentiality, integrity, and availability impact is rated High under the CVSS 3.1 metric set.
Root Cause
The root cause is improper access control [CWE-284] within the WebHID permission enforcement logic. Policy checks that should gate extension-initiated HID operations are insufficient, allowing extension code paths to reach privileged device functionality without the expected verification.
Attack Vector
Exploitation requires the attacker to convince a user to install a malicious Chrome Extension. Once installed, the extension leverages WebHID API calls that bypass policy enforcement to escalate privileges within the browser context. The attack complexity is High because the attacker must first achieve extension installation, but no additional user interaction is required once the extension is active. Refer to the Chromium Issue Tracker Entry for further technical detail once access restrictions are lifted.
No verified proof-of-concept code is publicly available for CVE-2026-13864.
See the Chromium issue tracker for restricted technical details.
Detection Methods for CVE-2026-13864
Indicators of Compromise
- Chrome extensions requesting the hid permission from unknown or unverified publishers
- Unexpected extension installations on managed endpoints, particularly outside enterprise-approved extension allowlists
- Chrome process versions below 150.0.7871.47 continuing to run after patch deployment windows
- Anomalous HID device enumeration or access events originating from browser processes
Detection Strategies
- Inventory installed Chrome extensions across the fleet and correlate against an approved list, flagging any extension declaring hid in its manifest permissions.
- Query endpoint telemetry for Chrome executable versions and identify hosts running builds prior to 150.0.7871.47.
- Monitor extension installation events from sources other than the Chrome Web Store or enterprise policy deployment.
Monitoring Recommendations
- Enable Chrome Enterprise reporting to surface extension install, update, and permission events to a central log store.
- Alert on new extensions requesting sensitive permissions such as WebHID, WebUSB, or nativeMessaging.
- Track browser version drift and generate alerts when endpoints fall behind the current stable Chrome release.
How to Mitigate CVE-2026-13864
Immediate Actions Required
- Update Google Chrome to version 150.0.7871.47 or later on all managed endpoints.
- Audit currently installed extensions and remove any that request WebHID access without a documented business need.
- Enforce an extension allowlist via Chrome Enterprise policy to prevent installation of untrusted extensions.
- Restart Chrome after updates to ensure the patched binary is loaded across all user sessions.
Patch Information
Google released the fix in the Chrome Stable channel update documented in the Google Chrome Desktop Update. Administrators should deploy Chrome 150.0.7871.47 or later. Additional technical context is tracked in the Chromium Issue Tracker Entry.
Workarounds
- Disable extension installation for standard users via the ExtensionInstallBlocklist policy set to *, permitting only allowlisted extensions.
- Block or restrict use of the WebHID API through the DefaultWebHidGuardSetting and WebHidBlockedForUrls enterprise policies.
- Restrict extension sources to the Chrome Web Store or an internally curated enterprise store using ExtensionInstallSources.
# Chrome Enterprise policy example (Linux managed policy JSON)
{
"ExtensionInstallBlocklist": ["*"],
"ExtensionInstallAllowlist": ["<approved-extension-id-1>", "<approved-extension-id-2>"],
"DefaultWebHidGuardSetting": 2,
"WebHidBlockedForUrls": ["*"]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

