Impact
The vulnerability resides in Chrome’s extension renderer process, enabling a crafted HTML page to circumvent the browser’s site‑isolation boundary. This can expose or cross‑read data that should be isolated to a single site context, potentially allowing access to sensitive information within the browser. The likely attack vector is a compromised renderer process, which could be achieved through a malicious extension or by loading untrusted web content that exploits the renderer weakness.
Affected Systems
Google Chrome versions earlier than 149.0.7827.155 on all supported platforms are affected. The stable channel release provides the fix, so users on that channel must update to at least 149.0.7827.155 to eliminate the flaw.
Risk and Exploitability
With a CVSS score of 4.2 the vulnerability is treated as low severity, and the EPSS score of less than 1% indicates a very low chance of exploitation in the wild. It is not listed in the CISA KEV catalog. Nonetheless, because the attack requires a pre‑existing gain of control over the renderer process—often attainable via a malicious or untrusted extension—the risk remains real in environments that allow such extensions or are exposed to potentially malicious web content. The exposure is confined to the browser context and does not directly allow system‑wide compromise without an additional vulnerability.
OpenCVE Enrichment
Debian DSA