Impact
A use‑after‑free flaw in the WebMIDI implementation of Google Chrome on Windows allows a remote attacker who has already compromised the renderer process to escape the browser sandbox and potentially execute arbitrary code on the host system. The vulnerability involves both a classic memory corruption error (CWE‑416) and an insufficient bounds‑checking flaw (CWE‑825), and is assessed as Critical by Chromium security reviewers.
Affected Systems
Google Chrome running on Windows with versions prior to 149.0.7827.115 are vulnerable. All affected installations should be considered at risk and treated as potentially compromised if an attacker can serve a crafted HTML page with WebMIDI requests.
Risk and Exploitability
The EPSS score is <1% and the vulnerability is not listed in CISA’s KEV catalog, indicating a lower probability of exploitation. Nonetheless, the Chromium severity is Critical and the CVSS score of 8.3 demonstrate a severe potential impact if exploited. Exploitation requires control of a renderer process via a malicious HTML page served to a user; once the renderer is compromised, the attacker can escape the sandbox due to the use‑after‑free. The low EPSS suggests that widespread or automated exploitation is unlikely at present, but the presence of a sandbox escape capability remains a high‑value goal for attackers, so mitigation remains prudent.
OpenCVE Enrichment
Debian DSA