Impact
In Google Chrome for Android, versions before 149.0.7827.115 have an inappropriate implementation in the passwords feature that may allow a remote attacker who has compromised the renderer process to bypass site isolation by loading a specially crafted HTML page. The vulnerability is mapped to CWE-1100 (Improper Handling of Arbitrary Inputs) and CWE-346 (Improper Verification of Cryptographic Checksum).
Affected Systems
Google Chrome on Android, all releases earlier than version 149.0.7827.115, as identified by the vendor and product data.
Risk and Exploitability
The attack requires an attacker to first gain control of the renderer process, after which the crafted HTML page can lift the isolation boundary. The EPSS score of <1% indicates a low probability of active exploitation. The CVSS score of 3.1 indicates a moderate risk level, and the vulnerability is not listed in the CISA KEV catalog.
OpenCVE Enrichment
Debian DSA