Impact
An implementation flaw in the Passwords feature of Google Chrome allows a remote attacker who convinces a user to perform specific UI gestures to cause the browser to unintentionally expose data that should remain confined to its origin. The flaw is classified as CWE-451 and CWE-940 and is identified by Chromium as a high‑severity issue, meaning sensitive information could be accessed by an attacker. The impact is limited to the leakage of cross‑origin data, compromising confidentiality but not providing code execution or broader system compromise.
Affected Systems
Google Chrome desktop versions prior to 149.0.7827.155 are affected. This includes all operating systems on which the Chrome browser is installed and has not yet received the 149.0.7827.155 release or newer. Chrome builds that contain the fix for 149.0.7827.155 or later are not affected, nor are browsers other than Chrome.
Risk and Exploitability
The CVSS score of 3.1 indicates a low overall severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to convince a user to interact with a maliciously crafted HTML page that triggers specific UI gestures. Given the low severity and exploitation probability, the immediate risk is moderate but should still be mitigated promptly.
OpenCVE Enrichment
Debian DSA