Impact
Use‑after‑free in BrowserTag first appeared in Google Chrome and allows an attacker who persuades a user to install a malicious extension to corrupt the heap through crafted extension code. The vulnerability is classified as a use‑after‑free flaw (CWE‑416) and may lead to arbitrary code execution if the attacker succeeds, albeit the Chromium security team assessed the severity as low.
Affected Systems
All desktop builds of Google Chrome older than version 150.0.7871.47 are affected. The flaw resides in the BrowserTag component and is triggered only when the user installs a malicious or maliciously modified extension.
Risk and Exploitability
The risk is low according to Chrome’s assessment, and no EPSS score is available. The exploit requires social engineering to convince a user to install a malicious extension and does not rely on a network‑remote vector. The vulnerability is not listed in the CISA KEV catalog, but local privilege is sufficient to trigger it, so users with the ability to install extensions may be at risk.
OpenCVE Enrichment