Impact
A use‑after‑free flaw in the QUIC implementation of Google Chrome allows an attacker to send crafted network traffic that can corrupt the browser's heap memory, potentially leading to arbitrary code execution. The vulnerability arises when a memory region is freed and later accessed, a classic heap corruption scenario that qualifies as a high‑severity weakness (CWE‑416). Because the flaw can be triggered by external input, it poses risks to confidentiality, integrity, and availability of an affected system.
Affected Systems
All desktop editions of Google Chrome older than version 150.0.7871.47, on Windows, macOS, and Linux, are vulnerable. The OS coverage is inferred from typical Chrome usage patterns, as it is not explicitly stated in the advisory. The issue specifically targets the QUIC networking stack, which is enabled by default for HTTPS traffic in recent releases distributed through the stable channel.
Risk and Exploitability
Based on the description, the attacker can exploit the flaw by directing malicious QUIC packets to a Chrome instance over the network; no local user interaction or elevated privileges are required. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, so evidence of widespread exploitation is currently unknown. Nevertheless, the CVSS score of 8.1 indicates high risk, and the potential for arbitrary code execution warrants immediate remediation.
OpenCVE Enrichment