Impact
Insufficient policy enforcement in Chrome’s GetUserMedia allowed a remote attacker to bypass the same-origin policy through a crafted HTML page, potentially enabling cross-origin data exfiltration. The vulnerability exists because media device access permissions are not correctly enforced, leading to unintended access across origin boundaries. This flaw can be used by an attacker hosting a malicious page to gain access to media streams or hidden information that should have been restricted to the original origin.
Affected Systems
All users of Google Chrome versions earlier than 150.0.7871.47 are affected, regardless of operating system, until the update is applied.
Risk and Exploitability
The vulnerability is rated low in Chromium’s internal severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to host a specially crafted web page that the victim visits. Because the flaw exploits policy enforcement rather than a direct code execution path, exploitation is relatively modest, but it still lifts the same-origin restriction and can allow data leakage or interactions with media devices that the victim would normally be prevented from accessing.
OpenCVE Enrichment