Impact
Google Chrome versions before 150.0.7871.47 contain an insufficient validation flaw in DeviceBoundSessionCredentials, which allows a maliciously crafted HTML page to exploit the browser. The defect, a form of CWE‑20 improper input validation, lets an attacker bypass the same‑origin policy, enabling the execution of scripts that can read from or write to resources that normally would be restricted to the page’s origin. Such a capability could be leveraged to exfiltrate sensitive data, inject malicious content, or lead to further compromise if the browser interacts with trusted sites.
Affected Systems
Google Chrome prior to version 150.0.7871.47 on all supported operating systems.
Risk and Exploitability
The CVE is rated Medium by Chromium. No CVSS vector is provided, and EPSS is not available, suggesting that the probability of automated exploitation is low. The vulnerability requires a victim to visit a crafted HTML page, often through phishing or an enticing link, making it a user‑interaction attack. If successful, the attacker can bypass same‑origin restrictions and gain read/write access to cross‑origin data, posing a significant confidentiality and integrity risk for browser users.
OpenCVE Enrichment