Impact
The vulnerability is a failure to properly validate untrusted input in the PageInfo component of Google Chrome. An attacker who has already compromised the renderer process can deliver a crafted HTML page that overrides browser-enforced navigation restrictions, allowing unauthorized redirects or other unintended navigation behavior. This flaw, rooted in CWE-20, could be leveraged to facilitate phishing or to trick users into visiting malicious sites without their consent, potentially exposing sensitive information or enabling further attacks.
Affected Systems
The affected system is Google Chrome prior to version 150.0.7871.47. Users running older Chrome builds are susceptible, while newer releases include the protection against this input validation defect.
Risk and Exploitability
The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, indicating a lower exploitation prevalence at this time. Chromium rates the vulnerability as low severity. Exploitation requires the attacker to first gain control of the renderer process, which typically arises from a separate vulnerability or social‑engineered compromise. Once renderer control is achieved, the attacker can bypass navigation restrictions, potentially redirecting the user to malicious content. The risk is moderate in the context of an already compromised renderer, but the broader likelihood of exploitation remains low given the high barrier to initial compromise.
OpenCVE Enrichment