Impact
An insufficient validation of untrusted input occurs in the WebAppInstalls feature of Google Chrome prior to version 150.0.7871.47. Because the application fails to properly filter or sanitize input embedded in a crafted HTML page, a remote attacker can construct a malicious document that bypasses normal input checks and injects code. This flaw allows the attacker to execute arbitrary code inside Chrome’s sandbox environment, which, while isolated from the operating system, compromises the confidentiality and integrity of the browser’s internal state and can be leveraged for further attacks such as privilege escalation or data exfiltration. The weakness is a classic example of Input Validation failure, classified as CWE-20.
Affected Systems
The vulnerability affects Google Chrome running on desktop platforms. All users of Chrome versions earlier than 150.0.7871.47 are potentially impacted, regardless of operating system. The issue is specific to the WebAppInstalls component and does not currently affect other Chrome modules.
Risk and Exploitability
There is no published EPSS score, and the vulnerability is not listed in CISA’s KEV catalog. The flaw permits remote execution of arbitrary code via a crafted HTML page, but Chromium flags its security severity as Low. The remote attacker can target users by hosting a malicious web page that exploits the WebAppInstalls component; once executed, the code runs inside Chrome’s sandbox, limiting OS impact but still compromising browser data and potentially enabling lateral privilege escalation. Due to the lack of public exploitation records and the low severity rating, the overall exploitation risk is considered moderate, but prompt patching is still advised.
OpenCVE Enrichment