Impact
The vulnerability lies in the handling of extensions in Google Chrome prior to revision 149.0.7827.115. This weakness corresponds to CWE-20 (Improper Input Validation) and CWE-653 (Cross-Source Injection). A remote attacker who has already compromised the renderer process can craft a malicious HTML page that allows the attacker to bypass site isolation barriers, thereby accessing or manipulating content from multiple sites. This undermines the browser’s security boundary and could lead to data leakage or credential theft.
Affected Systems
Affected across all installations of Google Chrome older than revision 149.0.7827.115 on Windows, macOS, and Linux. The issue was identified in the stable channel and affects any user who has not applied the latest update.
Risk and Exploitability
The EPSS score is < 1 % and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 3.1 indicates a low severity. An attacker would need to have already gained control of the renderer process, which typically requires exploitation of another flaw or a user‑enabled configuration. Once that foothold is achieved, the crafted HTML page can bypass site isolation without additional privileges. Because the window of opportunity relies on a pre‑existing compromise, the likelihood of direct exploitation remains moderate but is non‑negligible for high‑value targets.
OpenCVE Enrichment
Debian DSA