Impact
Insufficient policy enforcement in Chrome extensions prior to version 150.0.7871.47 allows an attacker who persuades a user to install a malicious extension to perform user interface spoofing. The flaw lets a crafted extension replicate or modify UI elements, potentially enabling phishing or credential theft. The Chromium team rates the severity as medium, indicating that the issue primarily undermines user trust rather than providing a direct code‑execution path.
Affected Systems
All users of the Google Chrome desktop browser running any version older than 150.0.7871.47 are affected. The threat does not apply to Chrome for Android or Chrome OS. Versions .0.7871.47 and newer include the fixing policy enforcement and are considered safe until further notice.
Risk and Exploitability
Based on the description, it is inferred that the attack requires a social‑engineering step whereby the user installs the malicious extension; no network or privileged access is needed. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently being actively exploited. Nonetheless, the potential for phishing or credential theft gives the flaw a moderate impact level.
OpenCVE Enrichment