Impact
A local attacker can exploit insufficient validation of untrusted input in the user interface of Google Chrome on Android to elevate privileges by crafting a malicious file. The vulnerability is a classic input validation flaw that allows the attacker to trigger the UI with crafted data, resulting in the application running with higher privileges than intended. This could enable the attacker to modify application data, install unauthorized code, or access sensitive information within the device.
Affected Systems
Google Chrome for Android versions earlier than 150.0.7871.47 are affected. Users running any of these versions on Android devices are at risk. The issue is specific to the Chrome UI handling of files.
Risk and Exploitability
The vulnerability carries a medium security severity in Chromium’s classification and could be exploited by a local attacker who already has a foothold on the device. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to create a malicious file on the device and then interact with the Chrome UI to trigger the flaw, so the attack vector is local and the attacker must have a degree of local access to the device.
OpenCVE Enrichment