Impact
The vulnerability arises from an inappropriate implementation (CWE-346) that allows a remote attacker who has compromised the renderer process to leak cross‑origin data via a crafted HTML page, resulting in confidentiality loss.
Affected Systems
Google Chrome browsers prior to 149.0.7827.197 on all desktop platforms where Autofill is enabled are affected. The flaw exists in the renderer process and applies to every desktop release below the specified version.
Risk and Exploitability
Exploitation requires prior compromise of the renderer process, which typically entails a separate vulnerability or social engineering. Once control is achieved, a malicious website can trigger the data leak. The CVSS score of 3.1 reflects a nominal severity; the EPSS score of < 1% signifies a very low likelihood of exploitation. The vulnerability is not in the CISA KEV catalog, so overall risk remains low to moderate, with confidentiality as the primary concern in compromised environments.
OpenCVE Enrichment
Debian DLA
Debian DSA