Impact
The vulnerability lies in insufficient policy enforcement within Chrome’s Passwords component before version 150.0.7871.115, allowing a remote attacker to bypass the same‑origin policy. This can enable cross‑origin access to data that should be isolated, potentially leading to theft or manipulation of stored credentials and other sensitive information. The weakness is an improper access control flaw that undermines browser isolation guarantees.
Affected Systems
Google Chrome browsers running any firmware earlier than 150.0.7871.115 are affected. Users of the stable channel prior to this build are at risk, while all newer releases incorporate the fix.
Risk and Exploitability
The vulnerability carries a high Chromium severity rating. No EPSS value is available, and it is not listed in the CISA KEV catalog, suggesting low publicly known exploitation evidence. However, a remote attacker can craft a malicious HTML page and deliver it via any vector that delivers web content to the browser, making the attack feasible when users visit or open such pages. The absence of a published workaround and low exploitation probability do not mitigate the inherent risk of the flaw.
OpenCVE Enrichment