Impact
Inappropriate handling of password data in Google Chrome versions before 149.0.7827.197 allows a remote attacker that has already compromised the renderer process to bypass site isolation by serving a crafted HTML page. This flaw lets the attacker escape the renderer sandbox, access privileged browser processes, and potentially read or manipulate user credentials and other sensitive data that would normally be protected by site isolation. Chromium security labels the issue as high severity.
Affected Systems
All installations of Google Chrome that run a stable channel build older than 149.0.7827.197 are vulnerable. Any user who has not yet upgraded to 149.0.7827.197 or a later version remains at risk.
Risk and Exploitability
The CVSS score of 4.7 indicates moderate severity, and the EPSS score is not available; it is not listed in CISA KEV. The likely attack vector is a malicious or compromised webpage that the user accesses, forcing code execution in the renderer process. Based on the description, it is inferred that the attacker must first gain control of the renderer before the site isolation bypass can be used. Once the renderer is compromised, the attacker can trigger the bypass by loading a crafted HTML page. Exploitation requires advanced capabilities, so the likelihood is moderate to high among attackers with sophisticated tooling. Successful exploitation could provide unauthorized access to saved passwords, session cookies, and other credentials, potentially leading to account takeover or broader system compromise.
OpenCVE Enrichment
Debian DLA
Debian DSA