Impact
A flaw in how the Text component of Google Chrome for Android handled untrusted input allowed an attacker who had already compromised the renderer process to supply a crafted HTML page that could potential for the attacker to run code with the same privileges as the renderer process, which may allow arbitrary code execution on the device. The underlying weakness is an input validation flaw (CWE‑20).
Affected Systems
All Android installations of Google Chrome earlier than version 150.0.7871.47 are vulnerable.
Risk and Exploitability
The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly recorded exploitation as attack requires that an attacker first gain control of the renderer process, which is a remote code execution vector. If successful, the attacker could escape the sandbox and elevate privileges on the victim device. Given the lack of public exploitation data rating, the likelihood of an immediate attack appears moderate, but the potential impact remains significant if the renderer is compromised.
OpenCVE Enrichment