Impact
Use‑after‑free bug in the Input Method Editor (IME) component of Google Chrome enabled a remote attacker to run arbitrary code inside the browser sandbox by serving a specially crafted HTML page. The vulnerability stems from improper handling of freed memory (CWE‑416), allowing malicious data to be processed after the associated object was deallocated. Exploitation could lead to code execution with the privileges of the current user, potentially compromising confidentiality and integrity of the system.
Affected Systems
The flaw affected Google Chrome desktop releases prior to version 150.0.7871.47. All builds that include this IME implementation are susceptible until upgraded to the patched version. Because the CVE states a prior to 150.0.7871.47 vulnerability, users of any older stable channel should check their installed version.
Risk and Exploitability
Cryptically, the public EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, indicating no current known exploit in the wild. Nevertheless, the Chromium severity is classified as high and the attack would likely be carried out via a crafted HTML page opened in the victim's Chrome browser. Barring an official workaround, the risk remains significant for any user who visits malicious sites while running an affected Chrome build.
OpenCVE Enrichment