Impact
The vulnerability is an out‑of‑bounds read and write in the Blink InterestGroups component of Google Chrome. An attacker can deliver a crafted HTML page that forces the browser to access memory beyond allocation, allowing the attacker to read sensitive data and write arbitrary values, thereby executing arbitrary code. The issue involves both a buffer underread (CWE‑125) and a buffer out‑of‑bounds write (CWE‑787), making it a critical memory corruption flaw.
Affected Systems
All installations of Google Chrome versions earlier than 149.0.7827.197 are affected. No other vendors or products are listed. The vulnerability is limited to the Chrome desktop browser.
Risk and Exploitability
The CVSS score of 8.8 indicates high severity, yet the EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. It can be exploited remotely via a crafted web page, requiring only that the victim opens a malicious URL or loads a page containing malicious InterestGroups code. Attackers can gain full control of the victim’s browser process, compromising confidentiality, integrity, and availability of the user session.
OpenCVE Enrichment
Debian DLA
Debian DSA