Impact
An inappropriate implementation of the FedCM feature in Google Chrome allows a remote attacker to bypass the web browser's same‑origin policy using a crafted HTML page. This flaw enables the attacker to read or modify data that would normally be restricted to a particular origin, thereby violating the confidentiality and integrity guarantees typically provided by the browser sandbox. The vulnerability is classified with low severity by Chromium security, indicating that while the attack is possible, it does not immediately lead to code execution or denial of service.
Affected Systems
Google Chrome versions earlier than 150.0.7871.47 are affected. The flaw exists in the FedCM implementation shipped with these releases and has been addressed in the 150.0.7871.47 update and later.
Risk and Exploitability
The exploitability of this vulnerability is low. No exploit has been reported and the EPSS score is not available, implying a minimal chance of real‑world attacks. It is not listed in the CISA KEV catalog. Because the flaw only permits same‑origin policy circumvention, an attacker would need to supply a specially crafted page to the target system, suggesting that the attack vector is a client‑side drive‑by scenario rather than a network‑level attack. Overall risk remains low, but patching is recommended to eliminate the possibility of future exploitation.
OpenCVE Enrichment