Impact
A race condition exists within Chrome's DataTransfer API that permits a remote attacker to read sensitive data from process memory by loading a specially crafted HTML page. The flaw arises when the DataTransfer object is manipulated before the underlying data transfer lifecycle is finalized, allowing the attacker to obtain data that should remain confidential. The vulnerability is categorized as a Medium severity issue by Chromium, indicating that the leakage could potentially expose user credentials, cookies, or other private data.
Affected Systems
Google Chrome versions earlier than 150.0.7871.47 are affected. The issue impacts all platforms where Chrome is installed and used to view HTML content, as the vulnerability is triggered purely in the browser rendering engine. Users who continue to run older Chrome releases remain vulnerable until they upgrade to a newer build that contains the race condition fix.
Risk and Exploitability
The likely attack vector is remote, via a malicious web page that the user visits. In order to exploit the flaw the attacker must first trick the victim into accessing a crafted page, after which the race in DataTransfer can expose memory contents. The exploit does not require elevated local privileges and can be performed against any user who loads the malicious page. While the EPSS is not available and the vulnerability is not listed in CISA's KEV catalog, its Medium severity rating suggests a moderate risk if the vulnerability is actively targeted. A successful exploitation would result in the disclosure of potentially sensitive data, compromising confidentiality of the affected user.
OpenCVE Enrichment