The vulnerability in Google Chrome for Windows prior to version 148.0.7778.168 allows a remote attacker who has already compromised the renderer process to elevate privileges through a crafted HTML page. This flaw arises from insufficient policy enforcement in the Chrome Passwords component, corresponding to CWE-266 and CWE-862, enabling the attacker to bypass privilege checks and execute code with higher privileges on the host system. The security team labels the issue as high severity, indicating a significant risk to system integrity.

Google Chrome on Windows systems using any build earlier than 148.0.7778.168 are affected. The advisory lists the bug as relevant to Windows platforms only, with no other vendors or products involved.

Exploitation requires the attacker to succeed in compromising the renderer process, after which a maliciously crafted HTML page can trigger the privilege escalation flaw. The CVSS score of 7.5 indicates high severity, and because the attack vector relies on an initial renderer compromise, the overall likelihood may be lower for generic attackers, yet the potential impact is high should the attacker succeed. The EPSS score is 0.00066, indicating a very low yet non-0 probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, so no confirmed active exploitation is reported at this time.