Impact
A use-after-free bug in the Windows Chrome installer allows a local attacker running a crafted installer file to escape the installer sandbox and gain elevated privileges on the system. The flaw is triggered by a freed memory reference within the installer code, enabling the attacker to execute arbitrary code with the privileges of the installing user. This vulnerability is classified as CWE-416 and is reported at low severity by Chromium teams.
Affected Systems
Google Chrome for Windows versions earlier than 150.0.7871.47 are vulnerable. The issue appears only on the Windows operating system. Installing or updating Chrome to a version that includes the fix (150.0.7871.47 or later) removes the use-after-free condition.
Risk and Exploitability
The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Although the severity rating is low, the flaw permits a local privilege escalation, so any user with access to a malicious installer file can exploit it. The attack requires the attacker to supply a crafted installer and run it locally, so it is confined to environments where such files can be introduced.
OpenCVE Enrichment