Impact
Insufficient validation of untrusted input in Chrome's navigation component allows an attacker who has already compromised the renderer process to bypass site isolation by loading a specially crafted HTML page. This flaw can enable the attacker to access or control web content that should be isolated, potentially leading to cross-origin data leaks or execution of malicious code within unintended sites.
Affected Systems
Google Chrome versions earlier than 149.0.7827.197 are vulnerable. The affected product is Google Chrome; versions prior to 149.0.7827.197 should be upgraded to a fixed release.
Risk and Exploitability
The vulnerability is rated with a CVSS score of 4.2, indicating low severity, and its EPSS score is 0.00146 (less than 1%), indicating a very low but non-zero likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to first gain control of the renderer process, a non-trivial prerequisite. If achieved, the flaw can be leveraged to bypass browser security boundaries and potentially compromise isolation guarantees.
OpenCVE Enrichment
Debian DLA
Debian DSA