Impact
A use‑after‑free flaw (CWE‑416) in the WebGL implementation of Google Chrome on Android allows a malicious HTML page to trigger memory corruption (CWE‑825). This can enable a remote attacker to escape the browser sandbox and execute code outside of Chrome’s confines, potentially escalating to full device compromise.
Affected Systems
Android devices running Google Chrome on the stable channel with a version earlier than 149.0.7827.197 are affected. The issue exists in all stable releases prior to the patch. No other platforms or channels were mentioned.
Risk and Exploitability
The CVSS score of 9.6 classifies the vulnerability as critical, while the EPSS score of less than 1 % suggests a low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector is a crafted HTML page that a user opens in Chrome; no additional credentials or network access are required. If successfully exploited, the attacker could escape the sandbox and potentially gain elevated privileges on the device.
OpenCVE Enrichment
Debian DLA
Debian DSA