Impact
An insufficient data validation flaw in the PDF handling code of Google Chrome allows a remote attacker who has already compromised the renderer process to bypass navigation restrictions via a crafted HTML page. The underlying weakness is improper input validation (CWE-20). This flaw lets the attacker force the browser to navigate to arbitrary URLs even when navigation is meant to be blocked, potentially enabling phishing or other malicious resource loading.
Affected Systems
Google Chrome desktop versions prior to 150.0.7871.47 are affected. The vulnerability exists in all older releases until the update that includes the fix. No specific patch is currently published beyond the announced version.
Risk and Exploitability
The Chromium project rates the issue as Medium severity and no EPSS score or KEV listing is available. Exploitation requires a local compromise of the renderer process, which is a prerequisite. Once that occurs, the attacker can craft an HTML document that triggers navigation to a target URL, bypassing standard restrictions. Because the flaw is not a remote code execution and relies on prior compromise, the overall risk is limited but still significant for scenarios where compromised renderer processes can be achieved, such as via other vulnerabilities or social engineering. No publicly known exploits are listed in CISA KEV.
OpenCVE Enrichment