Impact
A use‑after‑free condition in Chrome extensions can corrupt the heap when a malicious extension is installed, involving improper memory handling that also aligns with CWE‑825. This flaw may allow an attacker to cause application crashes or execute arbitrary code, as it falls under CWE‑416 and CWE‑825.
Affected Systems
Google Chrome browsers running versions prior to 149.0.7827.155 on all supported platforms are affected, regardless of operating system.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% signals a low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. The flaw involves both CWE‑416 (Use‑after‑free) and CWE‑825, indicating misuse of resources that may lead to heap corruption, and the likely attack vector involves convincing a user to install a deceptive extension, after which the invariant‑free bug could be triggered to corrupt memory.
OpenCVE Enrichment
Debian DSA