Impact
A remote attacker who has already compromised the renderer process can exploit a lack of policy enforcement in the Serial API within Google Chrome to escape the browser sandbox. The flaw, rooted in improper input validation (CWE‑20), lets an attacker use a crafted HTML page to gain higher privileges, potentially enabling execution of arbitrary code at the operating‑system level. The immediate consequence is a compromise of the client machine and the attacker’s ability to execute code with the privileges of the user running Chrome.
Affected Systems
Google Chrome browsers whose version is older than 150.0.7871.47 are affected. This includes all desktop releases that have not yet applied the 150.0.7871.47 update, regardless of operating system. Users running versions before this build should update to eliminate the vulnerability.
Risk and Exploitability
Chromium labels the issue as medium severity. Because the EPSS score is unavailable, the statistical probability of exploitation is not quantified. The bug is not listed in the CISA KEV catalog. To exploit it, an adversary must first gain control of the renderer process, then serve a malicious HTML page crafted to trigger the Serial API validation flaw. When combined, these conditions can result in sandbox escape and subsequent system compromise. The lack of broader exploitation data suggests the risk is moderate to high for users whose Chrome has not been updated.
OpenCVE Enrichment