Impact
The vulnerability lies in the NFC implementation within Google Chrome on Android. A malicious payload delivered via a crafted HTML page can be executed by an attacker who has already compromised the renderer process. By exploiting this flaw, the attacker can read and transmit data that originates from a different web origin, thereby leaking confidential information across site boundaries. The weakness corresponds to improper information disclosure (CWE‑200).
Affected Systems
Google Chrome on Android versions prior to 150.0.7871.47 are impacted. The issue affects all mobile devices running the affected stable channel, including older Android devices that have not updated Chrome to the mentioned version.
Risk and Exploitability
Chromium rates this issue as Medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The exploit requires that the attacker already gain control of the renderer process, which typically implies a prior local compromise or exploitation of another vector. Because the damage is limited to cross‑origin data leakage and the path to compromise the renderer is nontrivial, the overall risk is moderate, but the potential damage to user privacy could be significant.
OpenCVE Enrichment