Impact
Insufficient policy enforcement in the Canvas API of Google Chrome allows a remote attacker to create a crafted HTML page that reads and leaks data from a different origin. The flaw violates the same‑origin restriction that normally protects canvas content, enabling an attacker to obtain information that should be confidential.
Affected Systems
Google Chrome desktop installations running any version prior to 150.0.7871.47 are affected; the issue was fixed in that revision and in all later releases.
Risk and Exploitability
The vulnerability is exploitable by presenting a malicious page to a user who opens it in Chrome; no authentication or privileged execution is required. Because the EPSS score is unavailable and the issue is not listed in the CISA KEV catalog, the probability of exploitation is uncertain, but the high severity and cross‑origin nature point to a significant risk to confidentiality when sensitive data is rendered in canvases.
OpenCVE Enrichment