Impact
Google Chrome for Windows versions earlier than 150.0.7871.115 contains an insufficient validation flaw in the codecs module that allows a remote attacker, once they have compromised the renderer process, to potentially escape the sandbox. The vulnerability is a classic input validation weakness (CWE-20) and could allow malicious content to gain higher privileges within the browser or the operating system. The attack requires that the attacker can supply crafted HTML to the renderer, but does not involve memory corruption or arbitrary code execution directly from outside the sandbox.
Affected Systems
All on‑premises Windows installations of Google Chrome running a workflow that includes the codecs module and that have not been updated to 150.0.7871.115 or later. The affected product is Google Chrome for Windows; no specific patched version is listed in the CNA data aside from the mentioned baseline release.
Risk and Exploitability
The vulnerability carries a high severity in Chromium’s scoring but currently has no EPSS data available, suggesting a low frequency of exploitation in the broader landscape. It is not listed in the CISA KEV catalog. However, exploitation would only be possible once a priority 1/2 compromise of the renderer process is achieved, which itself is nontrivial. The attacker would then create a crafted HTML page that triggers the validation flaw, enabling sandbox escape. Organizers typically recommend that all users update Chrome promptly and keep renderer isolation enabled.
OpenCVE Enrichment