Impact
The vulnerability originates from an inadequate implementation of the Video Capture component in Google Chrome on ChromeOS. A local attacker who can present a crafted HTML page can deceive the browser into displaying UI elements that do not reflect the true state of the device, such as fake camera or microphone indicators. This manipulation of the user interface can lead to deceptive interactions and is categorized as a local UI spoofing flaw, indexed as CWE-20.
Affected Systems
The flaw impacts any ChromeOS system running Google Chrome versions earlier than 150.0.7871.47. The issue was resolved in the 150.0.7871.47 stable channel update; newer Chromium releases are not affected.
Risk and Exploitability
Because the attack requires local access with a crafted webpage, exposure is limited to users who can open the malicious page or execute code on the machine. The vulnerability is not remotely exploitable and is not listed in the CISA KEV catalog. Chromium reports the severity as medium, and no EPSS data is available, indicating a moderate overall risk, though social engineering impact could be significant in mixed‑user environments.
OpenCVE Enrichment