Impact
This vulnerability is caused by insufficient validation of untrusted input in the WebAppInstalls component of Google Chrome on Windows. A remote attacker can deliver a crafted HTML page that, when a user performs specific UI gestures, will execute arbitrary code in the context of the user’s browser. The impact is a complete compromise of confidentiality, integrity, and availability by enabling arbitrary code execution.
Affected Systems
Google Chrome for Windows versions prior to 150.0.7871.47 are affected. Any user running these versions may be vulnerable if they allow a maliciously crafted page to be loaded and the required UI gestures performed.
Risk and Exploitability
The vulnerability is classified as High by Chromium security. There is no EPSS score available, and it is not listed in the CISA KEV catalog, indicating no publicly known exploits at this time. Attackers would need to entice the user to open a specific HTML page and perform the UI gestures, so social engineering is required. Once the conditions are met, arbitrary code can be executed, leading to a full compromise of the user’s machine.
OpenCVE Enrichment