Impact
Insufficient policy enforcement in the GuestView component of Google Chrome allowed a maliciously crafted HTML page to override the isolation boundaries that normally keep a renderer process separate from other sites. The flaw is triggered only after an attacker has already compromised the renderer process, giving them the ability to elevate privileges within that tab. This bypass can expose sensitive data from other sites or allow the attacker to execute privileged code in the context of other browser tabs. The risk is limited to the user’s browser session but can have serious implications for data confidentiality and integrity within that session.
Affected Systems
All users running Google Chrome versions earlier than 150.0.7871.47 are affected.
Risk and Exploitability
The CVE is classified as Medium severity by Chromium. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker must already have control of the renderer process, which typically requires a separate local or network compromise. Once that condition is met, the attacker can bypass site isolation within the browser session. The lack of publicly reported exploitation and the absence from the KEV list suggest low to moderate current risk, but defenders should assume the risk could rise as the vulnerability becomes known.
OpenCVE Enrichment