Impact
Google Chrome versions before 150.0.7871.47 contain an insufficient validation flaw in the Downloads handling of extensions, allowing an attacker who can persuade a user to install a malicious add‑on to run arbitrary code. The weakness is a classic input validation issue that results in full compromise of the user’s system, including confidentiality, integrity, and availability.
Affected Systems
All installations of Google Chrome prior to version 150.0.7871.47 are affected. The vulnerability applies to the stable channel and any channel that has not yet received the official update, regardless of operating system.
Risk and Exploitability
Because the flaw only surfaces after a user accepts a malicious extension, the primary attack vector is social engineering. The vulnerability has a high severity designation from Chromium, and it is not yet listed in CISA’s KEV catalog. No EPSS data are available, but the potential for widespread exploitation remains significant given the reliance on the Chrome extension ecosystem.
OpenCVE Enrichment