Impact
Inappropriate handling of HTML content in Chrome DevTools allows a remote threat actor that has already gained control of the renderer process to escape the renderer sandbox by loading a specially crafted page. The flaw, identified as CWE‑20 Input Validation and CWE‑501 Information Exposure, enables the attacker to run code in the renderer with privileges exceeding those granted by the sandbox, potentially compromising the host operating system.
Affected Systems
The flaw exists in Google Chrome versions before 149.0.7827.115. Users operating any unsupported or older Chrome installation should verify the installed version and upgrade to at least 149.0.7827.115 to secure the vendor patch.
Risk and Exploitability
The EPSS score of <1% indicates a low probability of exploitation in the wild, and the vulnerability does not appear in CISA’s KEV catalog. The CVSS score of 8.3 signals high severity. Based on the description, it is inferred that the attacker must first gain control of the renderer process—typically by tricking a user into visiting malicious web content—and then load a specially crafted page to perform a sandbox escape. Once the attacker achieves this, they can execute code with elevated privileges on the host operating system.
OpenCVE Enrichment
Debian DSA