Impact
A use‑after‑free flaw in the extension handling of Google Chrome allows a malicious extension to drop into memory and execute code of the attacker’s choosing. If a user accepts a malicious add‑on, the attacker can gain full control of the browser process and move laterally to system resources.
Affected Systems
All desktop variants of Google Chrome running a version earlier than 150.0.7871.47 are vulnerable. This includes Windows, macOS, and Linux builds that have not yet received the latest stable channel update.
Risk and Exploitability
The vulnerability is labeled critical by Chromium and carries a use‑after‑free weakness (CWE‑416). The EPSS score is currently unavailable and the issue is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation at this time. The attack vector relies on social engineering; an attacker must convince a user to install a malicious extension. Once the extension is loaded, arbitrary code execution follows without further conditions.
OpenCVE Enrichment