Impact
This vulnerability arises from an improper implementation in the Mojo IPC system within Google Chrome for Windows. The flaw, classified as a privilege‑escalation weakness (CWE‑269) and an insecure input validation weakness (CWE‑648), can be triggered by a malicious local file, allowing an attacker to elevate privileges at the operating‑system level. This undermines user isolation and could permit local code to execute with administrative rights if the attacker can get the file processed by Chrome.
Affected Systems
Google Chrome installed on Windows operating systems, versions prior to 149.0.7827.115, are affected. Users of older Chrome builds that have not updated to the 149.0.7827.115 release are at risk.
Risk and Exploitability
Security severity is classified as High (CVSS score 8.8) by Chromium. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local; an attacker must be able to place or create a malicious file on the system for the exploitation path to succeed. Once the file is processed by Chrome, the flaw can be leveraged to gain OS‑level privileges, making the risk significant for any user with local access. The lack of exploitation metrics suggests the risk is driven by the high severity of the flaw rather than by widespread exploitation activity.
OpenCVE Enrichment
Debian DSA