Impact
A use‑after‑free vulnerability exists in the DigitalCredentials component of Google Chrome on Windows before build 149.0.7827.155. The flaw, classified as CWE‑416 and CWE‑825, can be triggered by a maliciously crafted HTML page. An attacker may exploit the memory error to escape the browser sandbox, potentially executing arbitrary code on the host system. The impact includes loss of confidentiality and integrity for the affected user.
Affected Systems
The vulnerability affects all Windows installations of Google Chrome using a pre‑149.0.7827.155 build. Users of the latest stable channel or newer revisions are not impacted. No other platforms or browsers are identified as affected.
Risk and Exploitability
The CVSS score of 9.6 indicates critical severity; the EPSS score of less than 1% suggests that a publicly available exploit is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to deliver a crafted HTML page—likely via a compromised website or phishing email—triggering the use‑after‑free, which could lead to sandbox escape and further compromise.
OpenCVE Enrichment
Debian DSA