Impact
A use‑after‑free flaw occurs in the fullscreen handling code of Google Chrome on Android. When a web page aggressively requests to enter fullscreen, internal memory deallocation timing can allow a subsequent read of released memory. A malicious site can craft a special HTML page that triggers this sequence, enabling the attacker to run arbitrary code on the device in the context of Chrome. The vulnerability is identified as CWE‑416 and is considered a critical security issue by Chromium.
Affected Systems
Google Chrome running on Android devices with versions dated before 150.0.7871.47 are affected. Any user with a vulnerable Chrome installation who visits a malicious web page that initiates a fullscreen request can be exposed.
Risk and Exploitability
The vulnerability is classified as Critical, implying that exploitation leads to complete compromise of the affected device if executed. The official EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which does not reduce the inherent risk of a remote code execution flaw. Attackers can exploit it remotely by delivering a crafted HTML page that initiates a fullscreen request. The likely attack vector is through a malicious website that coerces fullscreen; other potential vectors such as phishing or malicious ads are inferred but not confirmed in the official description. No additional access controls or prerequisite conditions are required beyond the presence of a vulnerable Chrome build.
OpenCVE Enrichment