Impact
Use after free in the Input component of Google Chrome versions before 150.0.7871.115 allows a remote attacker to craft a malicious HTML page that causes the browser to execute code within a sandboxed environment. The vulnerability is a classic use‑after‑free flaw (CWE‑416). Once triggered, the attacker can run arbitrary code inside the sandbox which may lead to privilege escalation or compromise of the user’s local environment if the sandbox is fully trusted. The effect is therefore the execution of arbitrary code with the power of the browser process.
Affected Systems
Google Chrome, all operating systems where the browser is installed, on any machine running a version prior to Chrome 150.0.7871.115. Users need to check their installed Chrome version and apply the update to a supported release to eliminate the flaw.
Risk and Exploitability
Chromium lists the issue as high severity. No EPSS score is available and it is not present in the CISA KEV catalog, so the current exploitation probability is unknown. The vulnerability requires the delivery of a specially crafted HTML page, meaning a remote attacker can execute this trade‑off through browsers accessed over the Internet. Once the use‑after‑free is triggered, arbitrary code runs within the sandbox, potentially compromising the entire session if the sandbox trusts the page resources. Overall, the risk is significant for any system that allows the user to load untrusted web content.
OpenCVE Enrichment