Impact
An out‑of‑bounds write in the GPU code of Chrome on Android permits an attacker who has already compromised a renderer process to potentially escape the sandbox by delivering a crafted HTML page. The flaw could enable privilege escalation or remote code execution on the victim’s device. The weakness is a classic out‑of‑bounds buffer write (CWE‑122) and a heap buffer overflow (CWE‑787), rated as a high severity issue by Chromium security.
Affected Systems
All Android builds of Google Chrome that use the affected GPU code – including the stable channel versions identified before the 149.0.7827.115 update – are vulnerable. Exact affected revisions are not listed, but any install of Chrome on Android that predates the latest stable release at the time of the advisory should be considered at risk.
Risk and Exploitability
The vulnerability can be exploited remotely through a malicious web page served to the user, assuming the attacker first gains control of the renderer process. The CVSS score of 8.3 reflects a high severity, and the EPSS score of <1% indicates a very low probability of exploitation. Combined with the potential for a sandbox escape, this represents a significant risk. The vulnerability is not yet listed in the CISA KEV catalog, but organizations should treat it as a high‑priority issue and apply mitigations promptly.
OpenCVE Enrichment
Debian DSA