Impact
An insufficient validation of untrusted input in Chrome’s Settings on Windows allows a remote attacker who has already compromised the renderer process to craft an HTML page that can potentially escape the sandbox. This flaw is a classic input validation problem, identified as CWE‑20. The consequence is that an attacker could execute code with higher privileges than the renderer, impacting the security of the entire Chrome process and potentially the host system.
Affected Systems
Google Chrome running on Windows. Any installation prior to version 150.0.7871.47 is affected. No explicit version range is provided beyond the pre‑update denominator, so users of earlier stable builds remain vulnerable.
Risk and Exploitability
The Chromium severity for this vulnerability is High, indicating a serious threat once the conditions are met. Although an EPSS score is not available and the issue is not listed in CISA’s KEV catalog, the requirement that a renderer process is already compromised still poses a substantial risk of privilege escalation and remote code execution. The likely attack vector is via a maliciously crafted HTML page delivered to a user’s Chrome instance. The risk remains mitigated only by applying the advisory update to version 150.0.7871.47 or newer.
OpenCVE Enrichment