Impact
The vulnerability is a use‑afterfree flaw in the password storage component of Google Chrome on Android. An attacker can trigger the flaw by delivering a specially crafted HTML page, causing arbitrary code execution with the privileges of the browser process. The weaknesses (CWE‑416 and CWE‑825) undermine confidentiality and integrity, allowing a complete compromise of the device.
Affected Systems
Google Chrome for Android versions earlier than 149.0.7827.155 are affected. Users of the stable channel or any channel that has not yet received the 149.0.7827.155 update remain vulnerable.
Risk and Exploitability
The CVSS score of 8.8 reflects a high severity for remote exploitation. The EPSS score of less than 1% indicates a low probability of public exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Still, the attack can be carried out remotely by a crafted web page, suggesting a broad potential impact if an attacker can lure a user to a malicious site.
OpenCVE Enrichment
Debian DSA