Impact
This vulnerability originates from an inappropriate implementation within the Autofill component of Google Chrome on Android. A remote attacker who has already compromised the browser's renderer process can exploit this flaw to leak cross‑origin data through a specially crafted HTML page. The flaw allows an attacker to obtain sensitive information belonging to different origins, resulting in a potential information disclosure incident. The weakness is classified as CWE‑200: Information Exposure.
Affected Systems
Affected systems are devices running Google Chrome for Android versions earlier than 150.0.7871.47. The grant of browser version numbers applies to the stable channel and all its predecessor releases. Users of any Android hardware or operating system that ships Chrome at these versions are at risk, as the flaw is present across all affected builds.
Risk and Exploitability
The CVSS-based severity for this issue is High, reflecting the potential for data leakage. Although the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the requirement for a compromised renderer process lowers the likelihood of exploitation in the wild. Nonetheless, should an attacker gain such privileges – for example through another browser or system vulnerability – they could readily trigger the data leak. The attack vector is an application-level flaw that relies on privileged renderer access rather than a network or remote code execution path.
OpenCVE Enrichment