Impact
A heap buffer overflow in the V8 JavaScript engine allows a remote attacker to craft an HTML page that triggers an overflow and any code execution inside Chrome’s sandbox. The vulnerability is a type conversion flaw (CWE‑843) that lets the attacker inject and run arbitrary code, potentially compromising the user process or any services that the sandboxed content communicates with. Chromium labels the issue as Medium severity, but RCE still poses a significant risk for elevated privileges within the browser context.
Affected Systems
Google Chrome, stable channel, any installation prior to version 150.0.7871.47 is affected. The flaw exists in all platforms where V8 is used as the rendering engine, meaning Windows, macOS, Linux, and other Chrome‑based browsers that ship the default engine version are vulnerable until the update is applied.
Risk and Exploitability
The vulnerability is exploitable via a crafted HTML page, meaning a malicious site can trigger it when a user navigates to the page. No EPSS score is available, and the vulnerability is not yet listed in the CISA KEV catalog. The risk level is governed by the Medium severity assigned by Chromium and the remote nature of the attack. An attacker can execute code with the privileges of the sandbox process, which can be a stepping stone to broader system compromise if the sandbox is bypassed or the code can interact with system resources.
OpenCVE Enrichment