Impact
A use‑after‑free bug was found in Chrome’s Actor component that permits a remote attacker to run arbitrary code inside the browser’s sandbox when a user opens a specially crafted HTML page. The flaw, identified as CWE‑416, allows memory misuse that can lead to arbitrary code execution while the browser process remains sandboxed. If an attacker elevates this code outside the sandbox, the compromise could affect the entire host system, potentially leaking sensitive data or enabling further exploitation. Overall, the vulnerability carries a high severity level according to Chromium’s internal rating.
Affected Systems
Google Chrome is affected, with all releases prior to version 150.0.7871.115 vulnerable. Users running those earlier builds are at risk.
Risk and Exploitability
The vulnerability can be triggered remotely by hosting or delivering a malicious web page to the user. While the exploit requires the ability to create a use‑after‑free condition in the Actor layer, it does not need user interaction beyond visiting the page, making it socially engineerable. Although sandbox restrictions limit immediate system impact, the potential to escape the sandbox elevates the risk. No EPSS score is available and the flaw is currently not listed in the CISA KEV catalog, but the high severity rating indicates that defenders should treat it as a serious threat.
OpenCVE Enrichment