Impact
A use‑after‑free bug exists in Chrome’s Digital Credentials component on macOS. When a victim loads a crafted HTML page, the bug can corrupt the heap, potentially allowing a remote attacker to execute arbitrary code. The weakness is classified as CWE‑416 and CWE‑825.
Affected Systems
Google Chrome on macOS, versions prior to 149.0.7827.197, including any build with the unpatched Digital Credentials implementation.
Risk and Exploitability
Known to be a high severity issue, CVSS score 8.8. The EPSS score is less than 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploits at this time. However, because the flaw permits remote heap corruption via a web page, the risk of exploitation in environments that allow arbitrary HTML is significant. Attackers would need to trick a user into opening a malicious page or exploit a compromised website that can serve such content. The lack of a readily available exploit does not diminish the threat; the class of vulnerability and the potential for code execution mean organizations should treat it as high risk.
OpenCVE Enrichment
Debian DLA
Debian DSA