Impact
A flaw in Google Chrome for iOS prior to 150.0.7871.47 allows a remote adversary who has already compromised the renderer process to construct a malicious HTML page that bypasses input validation and escapes the browser sandbox. The vulnerability involves an insufficient input validation weakness (CWE‑20). If exploited, the attacker could gain the privileges of the sandboxed renderer, potentially leading to execution of arbitrary code on the device.
Affected Systems
Google Chrome for iOS versions before 150.0.7871.47 are vulnerable. Any device running these older builds, which include iOS versions that support these Chrome releases, is at risk until the vendor releases an updated build.
Risk and Exploitability
The incident is rated as high severity by Chromium security reviews. The attacker requires remote access to the renderer process, which typically means successful phishing or exploitation of another vulnerability that allows code execution in that context. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the publicly documented exploitation probability is unknown. Nevertheless, the combination of sandbox escape potential and the need for a compromised renderer process indicates a significant risk to confidentiality and integrity for users of the affected builds.
OpenCVE Enrichment