Impact
A use-after-free flaw was discovered in the Skia graphics library bundled with Google Chrome for Android. The defect allows an attacker who can serve a specially crafted HTML page to a target user to trigger the freed memory and execute arbitrary code while the browser is running in its standard sandbox. This flaw can compromise the confidentiality and integrity of the data the browser handles and may be leveraged to further breach the device if the sandbox can be escaped.
Affected Systems
The vulnerability affects Google Chrome on Android versions earlier than 150.0.7871.47. Any device running these releases that processes untrusted web content is potentially exposed, irrespective of the operating system version.
Risk and Exploitability
Chromium rates the issue as Medium, and it is not listed in CISA’s KEV catalog. No EPSS score is publicly available, but because the vulnerability is remotely exploitable via a maliciously crafted page, an attacker who can deliver the page to a user has a high likelihood of success. Exploitation requires a web page that triggers the use-after-free; thus, a user who visits or opens a malicious link is required. Once exploited, the attacker gains code execution within Chrome’s sandbox.
OpenCVE Enrichment