Impact
A weakness in Google Chrome’s File System Access policy was identified. Before version 149.0.7827.155, an attacker who could compromise a renderer process could craft a special PDF that bypasses the browser’s site isolation, allowing read access to data that should be confined within a protected site context. This is an Access Control flaw (CWE‑284) and a flaw related to system configuration or policy enforcement (CWE‑807).
Affected Systems
Any Google Chrome installation running a version earlier than 149.0.7827.155 is affected. The vulnerability can be triggered by a malicious PDF loaded from an untrusted source.
Risk and Exploitability
The EPSS score is below 1%, indicating a very low probability of exploitation in the wild. The CVSS score of 4.2 rates the severity as low. Chromium considers the vulnerability high, but exploitation requires prior compromise of the renderer process, which reduces the likelihood of successful attacks. The vulnerability is not listed in the CISA KEV catalog, so no active exploits are known. Overall risk remains low to moderate until the browser is updated to the patched version.
OpenCVE Enrichment
Debian DSA