Impact
A use‑after‑free flaw in Chrome’s Bluetooth implementation on macOS before version 150.0.7871.47 allows an attacker who convinces a user to install a crafted Chrome extension to run arbitrary code. The vulnerability is classified as CWE‑416 and provides code‑execution privileges at the level of the Chrome process, potentially enabling full system compromise. Chromium assessed this flaw as low severity, but the impact of executing arbitrary code should not be underestimated.
Affected Systems
All installations of Google Chrome on macOS with versions earlier than 150.0.7871.47 are affected. Users who install extensions from untrusted or unknown publishers are at risk because the flaw is triggered only when such an extension is installed.
Risk and Exploitability
EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no evidence of active exploitation. Exploitation requires the user to install a malicious extension, so the likely attack vector is social engineering or distribution of malicious extensions. Based on the description, it is inferred that local user interaction is sufficient for exploitation; no remote network access is required.
OpenCVE Enrichment