Impact
A heap buffer overflow in the Codecs component of Google Chrome on Linux and ChromeOS allows a remote attacker who has already compromised the renderer process to craft a malicious HTML page that can potentially escape the renderer sandbox, giving the attacker execution privileges beyond the sandbox.
Affected Systems
Google Chrome versions earlier than 149.0.7827.115 running on Linux or ChromeOS are impacted.
Risk and Exploitability
The vulnerability is rated high with a CVSS score of 8.3. The EPSS score is less than 1%, indicating a very low yet nonzero exploitation probability. It is not listed in CISA’s KEV catalog. Exploitation requires an initial breach of the renderer process, which typically depends on other vulnerabilities or user‑initiated actions. Once the renderer is compromised, the sandbox escape may allow the attacker to execute code with the renderer’s privileges, potentially affecting the security of the host system as a result of the escape.
OpenCVE Enrichment
Debian DSA