CVE-2026-14041

Google · Chrome

Google Chrome contains a vulnerability involving insufficient policy enforcement within the Serial API, potentially allowing for unauthorized hardware access or data transmission.

Executive summary

A high-severity policy enforcement flaw in Google Chrome's Serial API implementation poses a risk of unauthorized device interaction and potential data compromise.

Vulnerability

This vulnerability is caused by insufficient policy enforcement within the Serial communication component. An attacker could exploit this to bypass intended access restrictions, potentially allowing unauthorized web content to interact with connected serial devices.

Business impact

The CVSS score of 8.8 indicates a high potential for impact, particularly in environments where legacy hardware or specialized serial devices are integrated with web-based management consoles. Successful exploitation may lead to unauthorized control over connected hardware, unauthorized data exfiltration, or the injection of malicious commands into connected systems.

Remediation

Immediate Action: Deploy the latest security updates for Google Chrome, specifically targeting version 150 or higher, as soon as they become available.

Proactive Monitoring: Audit browser-based access to serial ports and review logs for suspicious patterns of communication between web applications and hardware.

Compensating Controls: Utilize endpoint security software to restrict web access to physical serial ports until the browser has been patched.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this issue necessitates an immediate patching cycle for all Chrome installations. Security teams should ensure that browser policies are configured to limit Serial API access where not strictly required for business operations while awaiting the vendor update.