Impact
Insufficient enforcement of extension policy in Google Chrome versions prior to 150.0.7871.47 gives a remote attacker, who has already compromised the renderer process, the ability to craft an HTML page that can read cross‑origin data. The flaw effectively allows an extension to bypass its intended access controls and leak sensitive information to the attacker. The weakness is a form of improper access control, as the renderer’s policy checks are not correctly applied to extensions.
Affected Systems
The vulnerability affects the Google Chrome browser on all platforms for any installation older than version 150.0.7871.47. Any user running a pre‑patch build is susceptible until a newer release is installed.
Risk and Exploitability
Exploitation requires a prior compromise of the renderer process, which is a non‑trivial prerequisite. The EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation. Nonetheless, once the renderer is compromised the attacker can read any cross‑origin data presented to the extension, posing a confidentiality risk. Chromium classifies the severity as low, suggesting that attacks would likely be targeted rather than mass‑scale.
OpenCVE Enrichment