Impact
A use‑after‑free flaw in the Form handling of Google Chrome prior to version 150.0.7871.115 allows a remote attacker to execute arbitrary code within the browser sandbox by delivering a specially crafted HTML page. The vulnerability is a classic memory corruption bug (CWE‑416) that, once triggered, grants the attacker execution capabilities inside the sandboxed environment. While the sandbox limits system impact, arbitrary code execution in that context can compromise user data, exfiltrate information, or pivot to higher privileges if the sandbox is escaped or if downstream extensions are affected.
Affected Systems
All users running Google Chrome stable channel builds older than 150.0.7871.115 are potentially exposed. The exact versions affected are not enumerated in the advisory, but the issue was fixed in the 150.0.7871.115 release, which is the recommendation for all existing installations.
Risk and Exploitability
The CVE is classified with high severity, yet no EPSS value is published and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be through an attacker‑controlled web page that users visit, since the flaw is triggered by a crafted HTML form. Exploitation would require the user to load the exploit page, so the risk is moderate to high for environments where users visit untrusted sites. Once the exploit is executed, the attacker can perform actions limited by the browser sandbox, but the impact could still be significant if sandbox escapes or policy violations occur.
OpenCVE Enrichment