Impact
Insufficient validation of untrusted input in the DevTools window of Google Chrome on Windows lets a remote attacker, who convinces a user to perform specific UI gestures, read potentially sensitive data from the browser's process memory through a crafted HTML page. The flaw is tied to Input Validation weaknesses (CWE‑20). The attack requires user interaction with a malicious page that triggers devtools actions, so it is not a purely blind remote exploit but still permits disclosure of in‑memory information that could include credentials or other sensitive data.
Affected Systems
Google Chrome for Windows versions earlier than 150.0.7871.47 are affected. The vulnerability was present in all stable channel builds up to that version and has been fixed in subsequent releases.
Risk and Exploitability
Chromium rates the issue as Medium severity. CVSS scoring is not provided, and the EPSS score is unavailable, but the exploitability depends on a user’s willingness to engage with a malicious page. Because it requires user interaction and untrusted input in DevTools, the risk is moderate, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need to lure a user to a crafted page and induce the specific UI gestures required to expose process memory contents.
OpenCVE Enrichment