Impact
Use after free in the GFX module of Google Chrome on macOS allows a remote attacker to execute arbitrary code by delivering a crafted HTML page. The flaw is a classic use‑after‑free (CWE‑416) and enables full compromise of the process. Because the exploitation path relies on browser rendering of malicious content, successful exploitation results in the attacker gaining the privileges of the user’s Chrome process.
Affected Systems
Google Chrome for macOS versions prior to 150.0.7871.47 is vulnerable. The issue affects the stable channel and applies to all macOS installations that run these outdated builds.
Risk and Exploitability
Chromium rates the vulnerability as high severity and no EPSS information is currently available. The vulnerability is not listed in CISA’s KEV catalog, but because it permits remote code execution via a browser, the risk to the user is significant. The attack vector is remote, requiring only a crafted web page to be opened in the affected browser. Exploitation prerequisites are minimal; any user who visits a malicious site could be compromised.
OpenCVE Enrichment