Impact
The vulnerability arises from insufficient policy enforcement for extensions in Google Chrome. An attacker who has already compromised the renderer process can exploit this weakness to elevate privileges beyond the normal extension sandbox, potentially gaining the same rights as the logged‑in user. This escalated access can be used to install malware, read sensitive data, or modify system settings. The weakness corresponds to CWE‑20: Input Validation and is listed as high severity by Chromium.
Affected Systems
Affected versions are Google Chrome releases before 150.0.7871.47. All desktop builds of Chrome prior to that version are susceptible. The fix is included in Chrome 150.0.7871.47 and later.
Risk and Exploitability
The current EPSS score is not available, and the vulnerability is not listed in CISA KEV. The documented severity is high, indicating substantial impact if the vulnerability is exploited. The attack requires that the attacker first gain access to the renderer process, which may be achieved through compromised web content or other methods. After that, the attacker can serve a crafted HTML page to trigger the privilege escalation. Therefore, the risk level is considered significant for users running affected versions.
OpenCVE Enrichment